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AN ALGEBRA OF DISCRETE EVENT 

PROCESSES 

Michael Heymann* and George Meyer 
Arnes Research Center 


SUMMARY 

This report deals with an algebraic framework for modeling and control of discrete event 
processes. The report consists of two parts. The first part is introductory, and consists of a 
tutorial survey of the theory of concurrency in the spirit of Hoare’s CSP, and an examination 
of the suitability of such an algebraic framework for dealing with various aspects of discrete 
event control. To this end a new concurrency operator is introduced and it is shown how 
the resulting framework can be applied. It is further shown that a suitable theory that deals 
with the new concurrency operator must be developed. In the second part of the report the 
formal algebra of discrete event control is developed. At the present time the second part of 
the report is still an incomplete and occasionally tentative working paper. 


*NRC Senior Research Associate, Ames Research Center, on leave from the Department of Computer 
Science, Technion, Israel Institute of Technology, Haifa 32000, Israel. 
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1. INTRODUCTION 


Traditionally, control theory has dealt with the dynamic behavior of processes whose 
variables are numerical and whose evolution can be modeled by differential or difference equa- 
tion. With the widening use of computers as essential components of systems, increasingly 
complex systems have emerged that can no longer be adequately described by conventional 
models. Indeed, in an increasing number of processes, states may have not just numerical 
values, but symbolic or logical values as well. State changes may then occur in response to 
the occurrence of discrete events that take place at discrete times, frequently asynchronously 
and nondeterministically. The control of such systems is of great practical importance and 
theoretical interest, and poses a wide range of new and intriguing intellectual challenges. 

The simplest processes that exhibit such discrete behavior are discrete event processes, 
or DEPs. These are processes whose behavior can be modeled entirely within a state-event 
framework, that is, processes whose states are discrete and state changes take place only in 
response to events that occur at discrete and irregular intervals. Some of the more common 
and familiar examples of such processes are computer operating systems, manufacturing 
systems, communication networks, traffic systems, resource (such as power or water) man- 
agement systems, and computer-based supervisory control systems of complex plants. 

A state transition and its associated event constitutes the basic fragment of a DEP. 
(Finite) state machines and their associated state transition diagrams are the simplest formal 
mechanism for collecting such fragments into a whole. State machine models are conceptually 
appealing because of their inherent simplicitly and the fact that they can be described 
adequately by finite automata and the theory of regular languages. 

Recently, Ramadge and Wonham [45, 49, 50] initiated a pioneering effort of developing 
a control theory of DEPs within the framework of state machines and formal languages. In 
their framework all events are spontaneous and process-generated. Some of the events, called 
controllable events, possess a disablement mechanism accessible to the environment, and the 
control problem is to interact suitably with the process, by disabling of controllable events, so 
as to confine its behavior to within specified legal bounds. The mechanism examined in the 
work of Ramadge and Wonham for such interaction is called feedback control and consists 
of certain mappings between the process under consideration and a suitably formulated 
supervisor. Process behavior is modeled by its language , i.e., the set of event-strings that 
the process can generate. Various control-theoretic questions such as controllability [45, 49], 
observability [28, 42, 37], decentralized and hierarchical control [29, 51, 38] and stabilization 
[7, 36], as well as such questions as computational complexity [43, 44] and others were 
studied in the Ramadge- Wonham framework. Their research had a profound impact on the 
control systems research community and generated a growing interest in control of DEPs as 
evidenced by the expanding number of research contributions to this subject (e.g. [11, 12, 
22, 23, 25, 26, 48, 7, 8]). 

In spite of their inherent simplicity and corresponding attractiveness, state machines 
have a weakness as models of complex processes because they suffer from an exponential 




5 

page &im& mr filmed 



explosion in the number of their states. To be effective and useful, it is desirable that a 
state/event modeling formalism have the capability to somehow relax the requirement that 
all states as well as all event sequences be present explicitly in the model at all times. Thus, 
one would like to be able to suppress in such a model all aspects of its description that 
are irrelevant in a particular context. This can be achieved by event-internalization, or 
partial observation, which leads to nondeterminism in process behavior (in the automata- 
theory sense) and to inadequacy of formal languages as models of behavior. A further 
aspect of effective modeling is the ability to construct a process description from individual 
components, thus introducing as an integral element of the modeling framework modularity 
and hierarchy. Also, to obtain an effective description tool, it is important to have the 
capability of describing behavior recursively. Finally, since all modules of the process must 
interact and correctly synchronize when operating in parallel, a suitable mechanism for 
communication and interaction between the various process components must be formulated, 
that includes a suitable formalism for DEP control. 

The importance of developing a framework for modeling, specification, verification and 
synthesis of discrete event processes, with particular emphasis on computer operating sys- 
tems, data-base management, concurrent programs, and distributed computing, has been 
recognized in the computer science community for well over a decade, and a diverse and ex- 
tensive literature has developed on this subject. Notable among the various approaches that 
have been developed are Petri-Net Theory [39], linear-time and branching-time temporal log- 
ics [13, 31, 40, 24], and, of particular interest in the context of the present paper, a number 
of (closely related) algebras of concurrent processes that were inspired by Hoare’s Commu- 
nicating Sequential Processes (CSP) [20] and Milner’s Calculus of Communicating Systems 
(CCS) [33], and became widely known as the theory of concurrency [9, 10, 18, 32, 34, 4, 5]. 
(The reader is referred to the two recent volumes [2] and [3] for a broad overview of the 
current literature.) 

In spirit and in general philosophy, the theory of concurrency is well suited for modeling, 
analysis, and synthesis of discrete event control systems. A central theme in that theory is 
the description of the interaction between DEPs and their environment. Such interaction 
is modeled by parallel composition with a specified degree of event synchronization. While 
various formalisms of parallel composition have been defined and investigated in the litera- 
ture, they all rely on some framework of strict synchronization. That is, specific events of 
distinct processes must either strictly synchronize or be completely independent and inter- 
leave. These formalisms are inherently inadequate for modeling the interaction of DEPs in 
which spontenaity of events is an essential behavioral feature. 

The present paper is a tutorial introduction to the theory of concurrency and to the 
associated process-algebra and the suitability of such a methodology for modeling and con- 
trol of DEPs is examined. It is shown that the existing formalisms of synchronization are 
inadequate for modeling the interaction of (dynamic) DEPs with the environment. Accord- 
ingly, a new parallel composition operator , called prioritized synchronous composition, that 
can model a wide range of interactions among DEPs, is introduced. Aspects of the corre- 
sponding process-algebra are examined. Finally, some comments are made about aspects of 
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controllability within the framework of the new methodology. A more detailed and formal 
account of the new algebra of DEPs can be found in Part 2 of this report. 

2. PROCESS COMPONENTS AND OPERATORS 


Following standard notation, let £ be a finite set of event labels and let E* denote the 
set of all finite strings of elements of E, including the empty string e. A process P with 
events in E is then a device that undergoes state transitions in response to events in E. A 
local description of P can be given in terms of individual state transitions as follows. If p 
and p' are states of P, and o is an event in E, then we shall use the notation 

P & ! 

: p — ► p 

to express the possibility for process P to undergo transition from state p to state p' in 
response to the event a. Similarly, we shall use the notation 

P • p —+ \ 

to express the fact that when the process P is at state p, no state transition is possible in 
response to the event <r. At this stage we do not concern ourselves with the mechanism of 
event generation. 

We shall also find it convenient to refer formally to P as the global process structure 
consisting of its complete state transition tree, or graph, and its designated initial state po* 
This allows us to introduce the important prefix operator (or prefix construction) by defining 
the process Q as 

Q := a —+ P (1) 

That is, Q is the process that starts at its initial state (say go) and, in response to event 
cr, undergoes transition to P. For example, if P = A, the deadlock-process (that cannot 
undergo any state transitions), then (1) means that Q is the process that can execute (or 
respond to) event a and then deadlock. 

Another important process-operator is the controlled alternative operator -f , which is 
defined as follows. Let Qi = — ► Pi and Q2 — 02 — 3 ► ^2- Then 

Q := Qi + Q2 = {<ti - Pi) + (a 2 - P2) (2) 

is the process that in its initial state can either respond to <Ti and undergo transition to 
Pi, or respond to <72 and undergo transition to P2. The choice of the initial event is at the 
disposal of the environment. 

An important element of nondeterministic process behavior is provided by the uncon- 
trolled alternative operator ©. A simple illustration of this operator is provided by the 
following situation. If Qi = 0 — ► Pi and Q2 — o — ^ ► P2, then 

Q := Qi © <? 2 = (o' - Pi) ® (a - P2) = (<>-+ Pi® P 2 ) (3) 
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This is the process that, in response to the initial event a, undergoes transition either to Pi 
or to P 2 , hut the choice is completely nondeterministic. Actually, as we shall see shortly, 
this operator is much more subtle than indicated by (3). First we need to introduce the 
event-internalization operator. 

Let P be a process with event set E. By the internalization of an event o € E, we 
refer to the removal of all occurrences of the event o from external view so that all state 
transitions associated with cr become silent , or unobserved, (denoted by e). We denote the 
resultant process by P\ a . 

Example 2.1 Consider the process P\ a where P is given by 

P — (tt — * b — * A) ~f- (c — ► A) (4) 

as shown in the state transition graph given in figure 1. 



Figure 1. 

Notice that the process P\ a possesses nondeterministic behavior in that the internalized 
event can occur at any time without the explicit knowledge of the observer. Thus we may 
not know whether the process is at state p 0 or at pi. 

Definition 2.1 A DEP P is called deterministic if it has no silent transitions and for every 
state p of P and every event a € E there is at most one state p' such that P : p p\ 

An interesting and important question is how the process P\ a of example 2.1 differs 
from the deterministic process P (b — * A) + (c — * A) which generates the same event- 
strings (or traces). We shall return to this and related questions in some more detail later 
but in the meantime we shall only note that the following identity holds true: 

((fl-»MA) + (c-> A))\a = ((6 -> A) + (c — ► A)) 0 (6 — ► A) (5) 
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Po 



P' 


Figure 2. 

Equation 5 means that the process P\ a can be identified in some sense with the process 
P' whose state transition graph is depicted in figure 2. In the process P' there is an initial 
nondeterministic (unobserved) transition from p' 0 to either p[ or p' 2 after which it becomes 
deterministic. The identification of two distinct processes like that in equation 5 is at the 
heart of a process-algebra and we shall return to this issue later. 

We shall conclude this section with a brief discussion of recursive equations for process 
description. 

An equation of the form 

P = f(P) (6) 

where / is a function of (or an operator on) P, is a fixed-point equation, which, under 
suitable conditions (see e.g., [30, 20]), has a recursive solution (for P). Under appropriate 
restrictions this solution is even unique. Fixed point equations are a convenient way for 
process formulation. A simple illustration is given by the following example. 


Example 2.2 The (recursive) solution to the fixed point equation 

P = {a-^b-*P) + (c-^P) (7) 

is the process whose transition graph is given in figure 3. (Initial state is also shown.) 
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Figure 3. 

3. FORMALISMS OF CONCURRENCY 


Processes interact with their environment through communication. That is, they oper- 
ate in parallel with a specified degree of event synchronization. Thus we speak of parallel 
composition or concurrency of DEPs. Various formalisms of concurrency have been studied 
in the computer science literature. The simplest form of concurrency is parallel composition 
without synchronization, which is modeled by the interleaving behavior of the component 
processes. We shall denote this parallel composition by (• H 0 •), where the subscript 0(C £) 
denotes the fact that the set of synchronized events is empty. Thus, if P and Q are DEPs, 
then the DEP P\\q,Q is the process obtained from operating P and Q in parallel completely 
independently. The only assumption that is generally made about this parallel operation 
is that events of P and Q never coincide in time. (An exception to this assumption can 
be found e.g. in [32].) Using our notational convention, we can thus define the operator of 
parallel composition without synchronization, formally, by 

P-.p^p' => P\UQ--(p,q)^(p',q) (8) 

Q-.q-^q' =*• P\\ t Q ■■(p,q) ± > (p,q ') (9) 


As an example of process interleaving consider the simple processes P and Q in figure 4. 



P Q 

Figure 4. 



At the other extreme of the range of possible synchronizations, is the parallel composi- 
tion with full synchronization, denoted (• ||s •)• In this case the synchronization of events is 
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complete in that all events in the event set E must be synchronized. Thus, if P and Q are 
E-processes, i.e., processes over the event set E, then an event in P\\eQ can take place if and 
only if it can take place simultaneously (and synchronously) in both processes. If one of the 
processes cannot participate in an event initiated by the other, the event will not take place 
in either process. If no common events exist at a given time, the composite process P\\nQ 
deadlocks . Parallel composition with full synchronization can thus be defined formally by 

P.p-^p' k Q'.q-^q' =*• P\\nQ ■ (p,g) (p',?') (10) 

P-.p^p' k Q'.q^\ =>■ P\\*Q-.{p,q) -=*\ ( 11 ) 

Q:q^q' k P:p±\ =* P\\t.Q ■(!>, q) Ji +\ ( 12 ) 


The above operator is sometimes also called composition by intersection because the trace 
set of P|| S Q is easily seen to be precisely the intersection of the trace sets of P and of Q. 


An example parallel composition with full synchronization is given in figure 5. 



Figure 5. 


A generalization of the synchronization convention, that includes parallel composition by 
interleaving and parallel composition by intersection as special cases, is given by the operator 
P\\aQ, where A C E is an arbitrary subset called the synchronization set. Informally, this 
is the process obtained when P and Q run independently in parallel, except that they must 
fully synchronize their events in A. This operator (strict concurrency) is defined formally by 


P : p —> p' Sz Q : q A q' 
P:p^p' & Q:q^\ 

Q : q q' & P:p*\ 


P\\aQ : (p,g) 
P\\aQ : (p,?) 
P\\aQ 


(p'> <f) 

if <7 £ A 

(13) 

( p',q ) or (p,q') 

otherwise 

(p',g) 

if a £ A 

(14) 

\ 

otherwise 

M) 

if a & A 

(15) 

\ 

otherwise 
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Figure 6. 


An example of parallel composition with partial synchronization is given in figure 6. 

4. PROCESS MODELS AND 
LANGUAGE-CONGRUENCE 


In the present section we discuss certain questions regarding DEP modeling. The main 
purpose of a mathematical model of a DEP is to describe its behavior. We must, therefore, 
require of a model to capture enough detail about the DEP’s structure, so as to ensure that 
its behavior is fully exhibited in all circumstances. A model can be regarded as efficient if 
it captures just enough detail (for our purposes) but no more detail than necessary. Thus, 
an efficient model must not distinguish between DEPs that, in a given framework, exhibit 
identical behavior. Next we proceed to make these ideas somewhat more precise. 

As we have already seen, in a DEP modeling environment, DEPs are given by algebraic 
expressions whose arguments are also DEPs. The range of such algebraic expressions is 
determined by the range of algebraic operators that are defined in the given framework. Let 
us denote such a framework by A — A(0\ , . . . , Ok), where Oi, . . . , O* are the operators under 
consideration. In the context of the framework exhibited thus far, the operators include the 
prefix operator, the alternative operators, the internalization operator, the recursion and, 
most importantly, the operator of strict concurrency: (-||a*)- 

By the behavior of a process P, we refer to the language C(P) £ E*, consisting of all 
event strings, or traces, that P generates. Let M denote a modeling framework for DEPs, so 
that M(P) denotes a model for a DEP P. Then M induces an equivalence relation, denoted 
Em, on the class of all DEPs under consideration. Specifically, we then say that DEPs P and 
Q are equivalent, denoted PEmQ > whenever M(P) = M(Q). Clearly then for the modeling 
framework M to be adequate, we must require that if M(P) = M(Q), then P and Q must 
exhibit the same behavior under all circumstances. This leads us to the following 

Definition 4.1 An equivalence relation Em on the class of DEPs is called a language- 
congruence (with respect to .4) if for every f £ A and any two DEPs P and Q, 

P£ m Q =* C(f(P)) = cum ( 16 ) 
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In the above definition f(P) denotes an operator expression with P as an argument. (We 
do not preclude the possibility that / is an expression in more than a single argument, in 
which case our notation implies that the other arguments are held fixed.) 

Thus, in terms of the above definition, an adequate modeling framework must induce a 
language-congruence. But this, of course, does not guarantee that the modeling framework 
is efficient. Let C denote the set of all equivalence relations on the class of DEPs over a fixed 

event- alphabet E. If Si, £2 € C are two equivalence relations, we say that E\ is coarser 
than £ 2 , denoted Si >z £ 2 , if for any pair of DEPs P and Q, 

P£ 2 Q => PSiQ 

It is easily seen that >z constitutes a complete partial order on DEPs [30]. We now have the 
following 

Definition 4.2 A DEP modeling framework is called efficient if it induces the coarsest 
language-congruence with respect to A. 

Thus, a modeling framework is efficient if it includes in the model of a DEP the least amount 
detail necessary to distinguish DEPs that differ in behavior, but identifies all processes that 
cannot be distinguished behaviorally. It is important to realize that the detail needed in the 
model is crucially dependent on the operators that are included in A. As their expressiveness 
increases, the complexity of the models must, in general, increase as well. 

Definition 4.3 A framework A is called deterministically closed if for each f € A, f(P) is 
deterministic whenever P is deterministic. 

It can be shown that (see, e.g., [35]), if A is deterministically closed, then C(P) is 
an adequate model for P. That is, C itself constitutes a language congruence. Obviously 
C is then the coarsest language congruence. The reader can convince himself without too 
much difficulty that Ai =A(cr — » •,+, -\\a', recursion) is deterministically closed. Thus, the 
behavior of deterministic processes that interact only through strict synchronization, can be 
adequately modeled by their languages. 1 

We turn now to the case Af = A(a — > •,+,©, (•) \ a , -H^*, recursion). That is, Af 
includes also the operators of uncontrolled alternative and event internalization. Nondeter- 
minism is now included in our framework. 

It is of interest, at this stage, to return to the question raised in Example 2.1 of compar- 
ing the processes P = (b — > A) + (c — ► A) and P\ a where P = (a — > b — ► A) + (c — ► A), both 
of which generate the same languages. To this end, let us consider the following example 
that shows that processes P and P\ a are not language congruent. 

lr This fact has been of key importance in the interesting work of Smedinga [46] on control of discrete 
events. 
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Example 4.1 Consider the process R := P||eQ, where Q — (c — > A). Using the definition 
of parallel composition with full synchronization as given by (10)-(12), we obtain 


R={c-> A) 

Next, consider the process R' := P\ a ||sQ- While in this simple example the computation of 
R' can be performed directly without difficulty, we shall take the opportunity to demonstrate 
the use of process-algebra in computational simplification. First we shall use equation 5 to 
obtain 

R! = ((( b — ► A) + (c — * A)) ® (b -> A))|| s (c — A) (17) 

Next we use the following identity (see e.g., [10]) 

CP © Q)\\aR = (P\\aR) © (Q\\aR) 

which together with (17) gives 

R! = ((ft- A) + (c- A)|| E (c- A)) ©((&-> A)|| E (c- A)) 

= (c -» A) © A 

where the last equality is obtained with the aid of (10)-(12). Comparing R with R’ , we 
see that R' can deadlock initially, while R cannot. Indeed, the choice of whether R' will 
initially deadlock or not, is completely nondeterministic. This nondeterminism can best be 
understood upon noting that P \ a can undergo a silent transition from po to p\ (see fig. 1), 
and there is no observable mechanism to guarantee that the event c be offered by Q prior 
to such transition. The above example illustrates the fact that the language model is not 
a language-congruence when nondeterminism is present. Specifically, the language model 
cannot adequately express the possibility of deadlock. This fact motivated the introduction 
by [10] (see also [9, 20, 34, 35]) of the more sophisticated failures -model This model, which 
is obviously more detailed than the language model, represents a process by its failures set 
? = {(s,X)}, where a failure (s,X) consists of a trace s , i.e., a string of events that the 
process can execute, and a refusal set X that consists of the events that the process can 
reject (or refuse) after the execution of s. We shall not elaborate here on the failures model 
except for giving a simple illustrative example. 

Example 4.2 The failures set of the process P\ a of example 2.1 is given by 2 
T{P\a) = {(e, 0), (e, {c}), (6, { b , c}), (c, {6, c})} 

2 We give here only the failures with maximal refusals. 
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5. PROCESS ALGEBRA 

By a Process Algebra we refer to a set of algebraic identities between process expressions. 
Such an algebra can then be used to manipulate, combine and simplify process expressions 
and perform a variety of computations with processes symbolically rather than explicitly. 
We have already encountered in the foregoing several algebraic process identities, and a 
simple example of their use in computational simplification was seen in example 4.1. The 
chief utility of a behavioral (or semantic) modeling framework of processes, is in establishing 
the algebraic identities. It is for this reason that we must guarantee that the modeling 
framework constitutes a behavioral (in our case, a language) congruence. The derivation 
of these identities are beyond the scope of the present paper but for illustrational purposes 
we give below a partial list of algebraic identities that are valid for the failures model with 
respect to A/ (see, e.g., [35] for details). 


P + Q — Q + P 

(18) 

(P + Q) + R = P + {Q + R) 

(19) 

P + P = P 

(20) 

P + A = P 

(21) 

P®Q=Q®P 

(22) 

{P®Q)®R=P®(Q@R) 

(23) 

P@P = P 

(24) 

(P + Q)®R = (P®R) + {Q®R) 

(25) 

(P®Q) + R = {P + R)®(Q + R) 

(26) 

(cr — * P) + (ct — > Q) = (c — * P) © (<t — ► Q) 

(27) 

(<7 — ► P) © (d —* Q) = [(7 — + P © Q) 

(28) 

P\\aP = P 

(29) 

P\\aQ = Q\\aP 

(30) 

P\\a{Q®R) = {P\\aQ)®{P\\aR) 

(31) 

(P\a)\b = P\aUb 

(32) 

{P ® Q)\a = P \a ® Q\a 

(33) 
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(34) 

(35) 

6. THE RAMADGE-WONHAM DISCRETE-EVENT 

CONTROL FORMALISM 


(b _ p) \ _ ( P \a if b = <* 

( ° >Xa { (b ^ P\ a ) if b^a 
((a —> P) + Q)\a = P\a ®{P + Q)\a 


In their pioneering work on the control of DEPs, Ramadge and Wonham (RW) [45, 49, 
50] introduced the following formalism. A DEP is modeled as a deterministic state-machine 
or automaton, called generator , which is given by a 4-tuple 3 

G=(L,QAqo) (36) 

where Q is a set of states, £ is a set of events, <5 : £ x Q — > Q is a partial function called 
the transition function , and go is the initial state. The statement that <5 is a partial function 
means that it need not be defined for all pairs (cr, q) 6 £ x Q. 

Control is introduced as follows. It is assumed that all events occur in the process spon- 
taneously and asynchronously, but some of the events have a mechanism for their disablement 
at any time. Thus the event set £ is partitioned into two disjoint subsets 

£ = £ U U£ C (37) 

where £ c is the subset of events that can be disabled, called controllable events, and £ w is 
the subset of events whose occurrence cannot be disabled, called uncontrollable. A control 

input for G is now defined as a subset F C £ c of events that are disabled at any instant of 

time. Control of a DEP consists of switching the disablement set F as the process progresses 
in its run. With this event-set partition and associated disablement mechanism the DEP is 
called a controlled DEP, or CDEP. 

The control execution is performed by a supervisor which can abstractly be thought of 
as a map 

h : C(G) -> T (38) 

Concretely, this means that after every event that takes place in the process, a new event 
set is supplied to the process for disablement. Thus when the CDEP is supervised by a 
supervisor h , the generator G must be modified by redifining the transition map 8 as <5, 
where 

g/ \ _ f 8(a,q) if cr ^ r 

' ^ ' [ undefined otherwise 

3 Actually, Ramadge and Wonham have a somewhat more general setting where a DEP is a 5-tuple that 
includes also marker states, but these are inessential to the present exposition. 
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Let C c (G) denote the language generated by G under control, i.e., in closed loop. Then it is 
clear that the domain of the map h can be restricted to C c (G). In practice, it is convenient 
to use a state machine realization for C c {G). Thus one defines S = (£,A, £,^ 0 ) & s the 
automaton realizing C c {G ), and the map h is replaced by a feedback map 4> : X — * T such 
that for s € C c (G) 

(f>(t;(s,Xo)) = h(s) (39) 

where £(s,z 0 ) is the standard extension of the transition map to strings [21]. 

7. STRICT CONCURRENCY AND DISCRETE 

EVENT CONTROL 

A key element in the Ramadge-Wonham control problem formulation, is the introduction 
of what may be thought of as discrete-event dynamics , where by dynamics we refer to the 
presence of spontaneity , that is, the existence of events whose occurrence cannot be influenced 
by the environment. 

Let us next examine the possibility of modeling the control of discrete event processes 
using the formalism of strict concurrency as described in Section I. To this end consider first 
the simple control problem described in figure 7. 


d 


P 





Figure 7. 


Here all events of the process P are controllable, that is S c = E — {a, 6, c, d] and = 0. 
The process S is to be thought of as the supervisor for P, with supervision achieved through 
concurrency with full synchronization. Specifically, when P is at state Pi and S is at state 
Sj , then the possibility of occurrence of an event, say a, in R = PUsS at state r * = 
means that the event is enabled by S and possible (subject to enablement) in P. An event 
in R is, thus, interpreted as enabled by S and occurring in P, and the participation of both 
processes in an event is essential for its occurrence. Thus, when all events are controllable, 
we can model control by strict concurrency with full event synchronization. 


17 



As it turns out, this is not quite as straightforward when we introduce dynamics, or 
uncontrollable events. Let us first try to clarify the synchronization status of the various 
events. Clearly, the controllable events must belong to the synchronization set as before, 
because it takes the supervisor to enable an event and the process to execute it. But what 
about the uncontrollable events? If an uncontrollable event is possible both in P and in S (at 
their respective states), its occurrence in the concurrent process must be given the physical 
interpretation as having been executed in S in response to its (spontaneous) occurrence in P . 
If it is possible only in P, but not in 5, it will still occur in P, and hence in the concurrent 
process, because of its uncontrollability. But if an uncontrollable event is possible only in 5, 
it will not occur because S cannot initiate the event. 

Let us re-examine the process R — P\\^,S of figure 7. Let us assume that the event d 
is uncontrollable. Thus let = {a, 6, c} and = {d}. The event d appears in R after 
the occurrence of b but not after a. This is physically incorrect because once a occurs, the 
event d cannot be blocked by its absence in the supervisor. The process P may be executed. 
If, on the other hand, we remove the uncontrollable events from the synchronization set, 
and try to model controlled behavior by R' = P||e'P, we would obtain the process R' as in 
figure 8, which is unsatisfactory because it permits the occurrence of the event d without 
participation of P, which is impossible in the physical process. 



& = P\\(a M S 

Figure 8. 


Thus, it is clear that strict concurrency with synchronization cannot be used as a sat- 
isfactory framework for modeling the interaction of dynamical discrete-event processes with 
their environment. More specifically, strict concurrency is an inadequate formalism for mod- 
eling control of discrete event processes within the Ramadge-Wonham framework (unless 
we impose special restrictive conditions on the supervisor 4 ). So, we must look further for 
complexity reducing formalisms. 

4 Such as the condition of supervisor completeness [45]. 
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8. CONCURRENCY BY PRIORITIZED 
SYNCHRONIZATION 


In the present section we introduce a new concurrency operator, called prioritized 
synchronous composition that is suitable for modeling a wide range of practical control 
formalisms. 

Let the event set be denoted by E and consider two processes P and Q with events in E. 
With each process we associate a subset of special events, called its set of priority (or blocking) 
events. These are events in whose execution the given process must participate; otherwise 
they cannot take place. Thus, let A, B C E be the priority sets of P and Q, respectively, 
and define the prioritized synchronous composition of P and Q, denoted Pa\\bQ, & s follows: 

P : p A p' k Q : q A q' => Pa\\bQ : (p, o) ^ (p'> <j) (40) 

P-.p-^p' & Q:q-^\ =*• Pa\\bQ ■ (p, Q) j ^ ^ if cr e i? ( 41 ) 

Q-.q^q' & P:p*\ => Px|UQ:(p, «)■=►{ ^ ^ ^ (42) 

Expression (40) states that if, at their respective states, both processes P and Q can execute 
a given event < 7 , then it will be executed concurrently (i.e., in synchronization) in both 
processes. Both processes will then undergo simultaneously their respective state transitions. 
Notice that, when both processes can execute an event concurrently, the mathematical model 
does not distinguish which process initiates the event. Indeed, as we shall see shortly, this is 
a matter for the physical interpretation. Expressions (41) and (42) define the concurrency 
operator in case that an event is possible in (initiated by) one of the processes but is not 
possible in the other: In this case, the initiating process will execute the event without 
participation of the other, unless the event is in the priority set of the latter, in which case 
the execution of the event is blocked. 

It is not difficult to see that the prioritized synchronous composition operator partitions 
the event set E into four distinct (and disjoint) subsets: 

(i) The set A n B of strict- synchronization events. These events are either executed by 
both processes concurrently or by none. 

(ii) The set E — A U B of broadcast synchronization events. Each process can offer these 
events for execution and the other process will participate in their execution syn- 
chronously if it can. But if it cannot (i.e., if the event is impossible in its current 
state), the initiating process will execute the event by itself. 

(iii) The set A — A fl B of priority events of process P. The execution of these events will 
take place if and only if the process P participates. The participation of the process Q 
in these events will take place whenever possible, i.e., whenever Q can in its respective 
state. But lack of participation by Q cannot block execution by P. 
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(iv) The set B - A n B of priority events of process Q. (Similar to (iii) above.) 

To illustrate the prioritized synchronous composition, consider the following simple 
example: 

Example 8.1 Let E = {a, 6,c} and consider the parallel composition of processes P and Q 
as described in figure 9, where A — {a,c} and B — {a, 6}. 


b 



P Q R — PaWbQ 

Figure 9. 

Observe that the event a occurs only when both processes P and Q participate in the 
execution taking R from state r± = (pi,gi) to r$ = (p 2 ,g 2 )- However the event c occurs in 
R either by participation of both processes, for example in transition from ri = (p ojtfi) to 
7*2 = (pi, go), or by execution of P alone, in case the event is not available in Q , as for example 
in transition from Tq = (po 5 Qo) to r 2 = (pi, go)- Notice also that the transition of process P 
from p 2 to po never takes place when it runs concurrently with Q because the event b is in 
the priority set of Q, but Q is never at state go when P is at p 2 . The important property 
that is demonstrated above and that distinguishes prioritized synchronous composition from 
other concurrency operators, is the fact that the behavior of the concurrent process with 
respect to a given event, depends not just on the event, but also on the context and event 
availability. 

We turn now to an examination of how our prioritized synchronous composition can 
model control of DEPs. First we remark that DEPs frequently have other mechanisms for 
interaction with the environment than the one investigated by Ramadge and Wonham. For 
example, the process may possess also driven events that must be forced or triggered by the 
environment in order to take place. Driven events are then distinguished from controllable 
events in that when they are possible in the process and triggered by the controller, they are 
guaranteed to take place immediately and instantaneously. 

We shall let P denote the process under consideration, and let S denote the supervisor. 
The controlled, or closed-loop , process is then given by 

R = (S/P):=P a \\bS (43) 
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where the priority sets A and B are suitably chosen so as to correctly model the physical 
environment. The event set E will be partitioned into three disjoint subsets 

E - E u U E c U E d (44) 

where £ u is the subset of uncontrollable events, £ c is the set of controllable events, and £<* 
is the set of driven events. We turn now to two examples. First we consider an example in 
the Ram adge- W oriharn framework, that is, £<* = 0. 

Example 8.2 Let the event set be E = {a,6,c,d,e}, and consider the simple processes P 
and S of figure 10. 


Po 



so 



Process S 


Suppose P is the controlled process and let the subset of controllable events be £ c = 
{a, 6, c}, and the subset of uncontrollable events be E u = {d, e}. Thus, the events in £ c 
can be disabled while the events in E u cannot. Let us now see how we can model control 
of process P by supervisor S through prioritized synchronous composition of P and S. 
Since all events are assumed to be spontaneous events of the process P, its priority set A 
must include them all, that is, A = E. The uncontrollable events cannot be influenced 
by the environment. Thus, the priority set B (of the supervisor S) must not include any 
uncontrollable event of P. This means that uncontrollable events of P cannot be blocked 
by the supervisor, but the supervisor may (if the designer so wishes) execute (concurrently) 
state transitions in response to their occurrence in P. The controllable events, however, will 
not occur in the process unless they are enabled by the supervisor. Thus, the controllable 
events must be in the supervisor’s priority set P, and we have B = {a, 6, c}. Notice that in 
this case E — A\J B = ft, An B = E c , A — A fl B = E u , and B — A n B = 0. 


In our example the controlled process R Pa\\bS.= PeIIe^ is then obtained as 
depicted in figure 11, 


where r 0 = (p 0 ,so), n — (pi,si), r 2 = (p 3> s 0 ) and r 3 = (p 4 ,s 3 ). Notice that the controllable 
events a and c are both enabled by S while the event b is not. Hence in the controlled process 
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T\ r 2 r 3 

Process R — P-zW^S 
Figure 11. 

R , the event a is present and will occur if it occurs in P. The events b and c do not appear 
in R ; the first because it is not enabled by S and the second because it is not possible in 
P. The events d and e appear in R and occur whenever they occur in P regardless of their 
possibility (or lack of it) in S. Thus, if e happens in P, then S participates synchronously 
while if d happens in P, then S remains in its initial state s 0 . 

Next, we consider an example of control with driven events. 

Example 8.3 A Let E, P and S be defined as in example 8.2 but suppose that the events 
consist of uncontrollable events and driven events. Thus, the set of uncontrollable events is 
E w = {d, e} as before, and the set of driven events is E^ = {a, 6, c}. Clearly, the priority set 
A must include E u G A in view of the physical nature of the uncontrollable events. Process P 
makes unilateral transition on uncontrollable events. Hence E u G A. However, the events of 
E d may or may not be included in A, depending on the specific control mechanism employed 
(rather than on the physical character of the events). Thus, we shall say that driven events 
are synchronized in closed-loop , if they are included in the priority set A. In this case 
the supervisor S, that initiates the the driven events, waits for an acknowledgement that 
the triggered event is actually possible (and executed) before it proceeds with further state 
transitions of its own. Driven events that are not included in A are said to be executed in 
open-loop. In open- loop mode, the forcing process does not wait for acknowledgement. 

Thus, if we assume in our example closed-loop control with driven events, we have 
A = E and B = {a, 6, c}. It is easy to see that the controlled process R is again obtained 
as in figure 11, and in fact there is no sharp distinction between closed-loop control with 
driven events and the enablement mechanism of controllable events, except for the physical 
interpretation. 

Assume now, on the other hand, that the control of driven events is performed in 
open-loop. Then A — {d, e} and B — {a, 5, c}. Thus, the driven events will occur in the 
concurrent process whenever they triggered by, and hence occur in, S regardless of their 
actual occurrence in P. The controlled process in this case is obtained as in figure 12 where 
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ro = Cpo, -So), ri = (pi,5i), r 2 = (po,s 2 ), r 3 = (p 3 ,s 0 ) and r 4 = (p 4 ,s 3 ). Notice that the 
event c is executed without the participation of P while the event d is executed without 
participation of S. 


r o 



We can summarize the discussion of this Section with a formal classification of the events 
with respect to the priority sets A and B as follows: First, we have the requirement that 

1- A 13 E u U £ c . 

2. B = E C U E d . 

The subset E dc :== E d D A is then the set of closed-loop driven events and the set E do 
E d — E dc is the set of open-loop driven events. 

Finally, as was stated earlier, we identify process behavior with the language that it 
generates. Thus, we must guarantee that we have a behavioral model for DEPs that consti- 
tutes a language-congruence with respect to an algebraic framework that includes prioritized 
synchronous composition. We turn to this topic in the next section. 


9. THE TRAJECTORY MODEL AND 
ASSOCIATED ALGEBRA 


We have seen in the previous section how the prioritized synchronous composition op- 
erator 'a\\b' can be used to model a wide range of parallel composition formalisms and 
is, in particular, suitable for modeling dynamics and discrete-event control. We have also 
mentioned that the failures model captures adequately deadlock phenomena in nondetermin- 
istic behavior. It turns out, however, that in general, the failures model cannot adequately 
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account for the range of possible interleavings that can occur in the framework of the oper- 
ator 'a\\b' when nondeterminism is also present. This is illustrated in the following simple 
example: 

Example 9.1 Consider the two processes 

P = (a -» (( c -> A) + {b — > A))) © (a -> b -> d -► A) 

P r = (a — ► ((c — * A) -f (b — * d — *■ A))) ® (a — * b — > A) 

It is easily seen that P and P' have the same failures set which is given by 5 

P = {(£> {6, c, d}), (a, {a, d}).(a, {a, c, d}), (ac, {a, 6, c, d}) 

(a&, {a, b , c}), (a&, {a, 6, c, d}), (a&d, {a, 6, c, d})} 

To see that they do not behave the same way under prioritized synchronous composition, 
let them have priority set A = {a, 6, d} and run them in parallel with the process Q with 
priority set B = {a, b, c}, where 

Q — a — y c— > b — >A 

We obtain distinct results: 

R = Pa\\bQ = {a > c — > A) © (a - > c— > b — > d — ► A) 

R! - P^IIbQ - (a c -► A) © (a -> c b A) 

In view of the above, it is clear that the failures model is not a language congruence 
with respect to At — A(cr — > •, +, ©, (•) \ a, ‘a\\b'i recursion). 

We turn now to a brief discussion of a model, called the trajectory-model, that is a 
language-congruence with respect to At , and which has been examined in detail in part 2 
of this report in the framework of a complete axiomatic theory. In the trajectory-model 
the process is specified by its set of trajectories. A process trajectory is a record of an 
’experiment’ that describes an execution of a string of events, and records in addition to the 
executed events, also the events that the process can reject (or refuse) after each successful 
event. A typical trajectory is then an object of the form 

(Xq, 0*1, X \, . . . , Xk-i , ©c, Afc) 

where denotes the zth successful event, where denotes the set of events that can be 

refused after the zth executed event and where Aq denotes the set of events that can be 
refused initially. The following is an example of the trajectory set of a process (listing only 
the trajectories of maximal length with maximal refusal sets). 

Example 9.2 The set of trajectories of maximal length with maximal refusals of the process 
P of example 9.1 is given by 

5 Again, we list just the failures with maximal refusals. 
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T (-P) { ({^> 5 ® ? ^5 {^» ^} ) 

({6, c, d}, a, {a, d}, 6, {a, 6, c, d}) 

({6, c, d } , o, {u> Cj d} , 6, {o, 6, c, } , d , {u> 6 } c, d} ) } 

The set of trajectories of maximal length (with maximal refusals) of the process P' of exam- 
ple 9.1 is given by 

T(P') = {({b,c,d},a,{a,d},c,{a,b,c,d}) 

({6, c, d}, a, {a, c, d}, 6, {a, 6, c, d}) 

({6, c, d} , u, {u 5 d} j b , {dj 5, c, }, d, {n, 6, c, d } ) } 

Notice that the trajectory sets for the processes P and P r (both of which have the same 
failures set) are distinct. This distinction accounts for their different behavior under parallel 
composition that was evidenced in example 9.1. 

It has been shown (see part 2 of this report) that the algebraic identities (18)- (28) as 


well as the identities (32)- (35) also hold for the trajectory model with respect to At. For 
parallel composition the following identities can be shown to be true: 

Pa\\bP = P (45) 

PaWbQ = QbWaP (46) 

(.Pa\\bQ)aub\\cR = Pa\\buc{Qb\\cP) (47) 

Pa\\b{Q®R) = (^l| B e)©(^IM) (4 8 ) 

We conclude this section with a list of some language relations that hold true for the tra- 
jectory model. These relations are useful in deriving certain properties of controlled DEPs 
that are discussed briefly in the following section. 

A 1 CA 2 ^C{P Ai \\bQ)QC{Pa 1 \\bQ) (49) 

C(P) C C(Q) => C{P) C C(Pa\\bQ) (50) 

C(Pi) C C{P 2 ) => C(P 1a \\bQ) C C(P 2A \\bQ) (51) 

C(Pi) = C{P 2 ) =» C{Pia\\bQ) = C(P 2A \\bQ) (52) 

A C B =► C(P a \\bQ)a\\bQ = C(Pa\\ B Q) (53) 

£((^|UQ)\ s _x) C AVa) ( 54 ) 
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10. ASPECTS OF CONTROLLABILITY 


We conclude this paper with some remarks about controllability in discrete event control 
viewed within the framework of concurrency. 

A behavioral specification for a PEP is, typically, a statement about languages. If 
C E is some event subset, then a local specification consists of a pair of languages 
K s , K7 s C E* such that £(P\e_ eJ, the language of the process localized to E s , satisfies 
the constraint 

K, C £(P\ S _ S .) C KT s (55) 

Sometimes JCs = 0, and the specification consists of the upper-bound constraint only. If 
E s = E, we call the corresponding specification global 

We shall assume that E — E u U E c , A := E u U E c = E and B = E c . In view of (54), it 
is then clear that if S is a supervisor for a process P, then 

£(S/F) = AftlkS) C C{P) (56) 

We can now introduce within our framework the concept of controllable languages. 

Definition 10.1 Let K be a closed 6 sublanguage of C(P). K is said to be controllable if 
and only if there exists a supervisor S such that 

JC = /^(PeIIsc'S') (57) 


A characterization of controllability 7 is the following easily proved theorem: 

Theorem 10.1 A closed sublanguage K, C £(P) is controllable if and only if for all strings 
ter € £(P) such that t £ JC and o £ E, 

ter ^ JC =4- <7 £ E c (58) 

An immediate consequence of (48) (which is actually valid also for an arbitrary — not neces- 
sary finite — number of Processes) is the following 

Proposition 10.1 Let P be a process. The class of controllable sublanguages of £(P) is 
closed under set union. 

6 A language is closed if it includes all its prefixes [21]. 

7 This characterization was used as definition of controllability by Wonham and Ramadge in [45]. 
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Consider now a process P, and let A, the deadlock process, serve as supervisor. The con- 
trolled process is then given as 

(A/P) = F E || Ec A (59) 

and it is clear from (51) that if S is any supervisor for P, then 

£(A/P) C C(S/P) (60) 

Thus, the language £(A/P) is the smallest controllable sublanguage of P. We denote this 
sublanguage by U P and call it the uncontrollable or spontaneous language of P. 

Theorem 10.2 Let P be a process. Let /C C £(P) be a nonempty closed sublanguage. If 
Up C £, then JC contains a unique (nonempty) supremal controllable sublanguage. 


11. CONCLUDING REMARKS 

In this report we surveyed several aspects of the theory of concurrency and process- 
algebra and showed how the theory can be adapted to deal with issues of Discrete Event 
Process (DEP) modeling and control. The proposed framework captures to a greater extent 
than others the essential details of the process/supervisor interaction and nondeterminism. 

We believe that the algebraic approach to DEP modeling and control proposed here 
can, when fully developed, alleviate some of the computational difficulties caused by high 
dimensionality of practical DEPs by replacing exhaustive searches with symbolic computa- 
tions. Thus, the very early results reported here may be viewed as a step in the development 
of an effective methodology for the design of high-level automatons which are expected to 
play a major role in future aerospace systems. 
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Part II 


ALGEBRA OF DISCRETE EVENT 
PROCESSES 
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12. MODELS AND SPECIFICATIONS 


12.1 Experimentation and Trajectories 

In order to get an intuition about the model that we shall later formalize, we introduce 
it here intuitively through the idea of experimentation on processes. 

We think of a discrete event process as a device that can undergo state changes at 
discrete points in time in response to certain isolated events. In general these events occur 
asynchronously (i.e. without reference to a clock) and sometimes also nondeterministically. 
Some of the events (and associated transitions) are observable (or accessible) from the exter- 
nal environment but some may be internal and unobservable. With each observable event is 
associated an event symbol <r. The set of all observable events, called the process alphabet , 
is denoted E. 

Let us assume for the sake of the current discussion, that all events in S are available 
for ‘external experimentation’; that is, we imagine that there is a pannel of buttons, each 
marked with a symbol a 6 E. When a button is pressed, the corresponding event symbol 
can either be accepted by the process, resulting in a state transition, or it can be refused 
and nothing happens. We regard a refusal as persistent in that repeated experimentation 
with the same button will not change the outcome. The unobservable events are assumed 
to occur spontaneously (and at unknown times) and the associated transitions are assumed 
to be undetectable. 

Now, at any time we may press any button. If the corresponding event is possible at 
that time and a state transition occurs, we record this fact. Otherwise, if the process refuses 
the event, we record the refusal and we can choose another event button for experimentation. 
This can be repeated until (if it ever happens) we hit a successful button and an event is 
accepted. We can now move on to the execution of the next observable event by pressing 
buttons until another successful event is encountered and so on. The experiment can be 
terminated at any time. Of course, internal unobservable transitions can occur at any time 
without our knowledge, thereby introducing an element of nondeterminism into the process 
that will play a major role in the theory. 

Now, our experimental record, or trajectory is given by 

e = ((X 0 , (7i)(Xi, 02) • * . (Xfc_i,(Tfc), X k ) (61) 

where k is the number of successful event transitions in the experiment, Oi is the i-th suc- 
cessful event, Xq (called the initial refusal of e), is the set of refused events prior to the first 
successful event, and for i > 0, X f ( C E) is the set of refused event symbols after the i-th 
success. The refusal set X k of e is called its final refusal Thus, a trajectory is an element of 
the set of observations O (2 s x E)* x 2 s . It will be assumed that under normal behavior 
(see further discussion below regarding the possibility of divergence) all process trajectories 
are valid , that is, they satisfy the condition that <7* ^ 1 for all i > 0. This assumption is 

consistent with our interpretation of refusals as persistent, that is, events cannot be executed 






PRECEDING PAGE BLANK NOT FiLMED 



if they have just been refused. It is convenient to denote each pair (Xi_ l5 af) by Wi and the 
string wiw 2 ...w k hyw. The number of elements in the string w is called the length of w and 
is denoted |it;j. We call Wi the i - th left execution of e, with refusal Xi-i and event <7*. The 
string w (G S l := (2 E x £)*) is called the left execution string of e. We call the trajectory 
representation of Equation (61), which can also be expressed as 

e:=KX) (62) 

the left representation of e. In the above equation it is clearly understood that X = X k . If 
we terminate our experiment before we ever reach a successful event, the trajectory will be 
given by the pair (e, X 0 ) where e denotes the empty execution string. The trajectory (e, 0) is 
called the null trajectory. The length of a trajectory e = (w,X k ) is defined as \e\ = |w| = k. 

The trajectory of Equation (61) can also be written in the form 

e=(X 0 ,{a u X 1 )...(<r kt X k )) (63) 

which we call the right representation. Thus, we think of e as an element of O represented as 
O := 2 s x (E x 2 s )*. Here we refer to each pair u* = (cq, X { ) as the z-th right execution and 
to the string v — vi...v k (e T := (S x 2 s )*) as the right execution string of the trajectory. 
The trajectory can, thus, also be written as 

e = {X,v) (64) 

where it is clearly understood that X = X Q . Obviously, |u| = |e| = k. In the sequel we shall 
use both representations and it will always be clearly understood whether we refer to left 
or right trajectory representations. Finally, we associate with a trajectory e its trace tr(e ), 
that is, its associated string of events 

tr(e) = s = (Ji ... a k (65) 

Suppose now that, for a given process, our set of observed trajectories includes a 
trajectory 

e = {X 0 ,{<T U X 1 )...{<r k ,X k )) (66) 

Then it must clearly include also every prefix of e, that is, every trajectory of the form 

prefj{e) := (X 0 , {(Ji,Xi) . . . (<r j,Xj)) (67) 

with j = 0, fc, '(where pref 0 (e) := (X 0 , e) and pref k {e) = e). We shall denote the set of 

all prefixes of e by pre/(e), that is 

pref (e) = (J prefj{e) (68) 

j=0,...,k 

We shall sometimes use the notation / ^ e to denote the fact that / G pref(e), and f < e 
to denote the fact that e ^ / G pref(e). If E is a set of trajectories, we shall denote by 
pref(E) the set of all prefixes of trajectories in J5, that is, 

pref(E) = (J pref(e) (69) 

etE 
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Next, it is clear that the order in which we press the various buttons is arbitrary. Thus, if 
instead of Xj), the j-th (right) execution had been (<7j, Yj) where Yj C Xj is any subset, 
it would have been just as successful. Consequently, we may add to our set of observed 
trajectories also the set of all the trajectories of the form 

(Y 0 ,(o u Yi)...(ck,Y k )) (70) 

where Yj C Xj for j = 0, . . . , k. We call this set of trajectories the completion of e, and 
denote it compile). It is clear, in view of our discussion, that the set of trajectories of our 
process must also include the set of all prefixes for each trajectory in compie). The union of 
all trajectories thus obtained is called the closure of e and is denoted cl(e), that is, 

c/(e) := |J pref(v) (71) 

vEcomp(e) 

It thus follows (without necessarily having to make this observation experimentally) that if 
e is a trajectory of a process so is every trajectory in cl(e). 

We proceed now with some extension of our terminology. Let 

e = (Xo,u>) = (X 0 , (oij-^i) • • • ( a k,Xk)) (72) 

be a trajectory in right representation. If 

V = (o-fc+1, Xk+l) • • • (<Th Xi) ( 73 ) 

(l > k) is a (right) execution string such that / := (X 0 , w~v) is also a trajectory, where w~v 
is the concatenation of w and v given by 

(cri, Xi)... (cr fc , X k )((Tk+u Xk+l) ...{(JhXi) (74) 

(so that e is a prefix of /) we say that / is an extension of e and that v is a post execution- 
string of e. Sometimes, with some abuse of notation, we shall also write the above simply as 
f = eTv. 

Similarly we may consider a trajectory in left representation 

/ = (v''w,X k ) = ((X o ,0i) • • • {X k -i,<T k ),X k ) (75) 

where 

v = (Xo,cri) . . . (Xi_i,cq) (76) 

and 

w = (Xi, ct/ + i) . . . (Xfc_i, Ok) (77) 

and consider the trajectory e = (w,X k ). We shall say that the trajectory e is a suffix of 
/, that v is a pre-execution string of e and that e is a post- trajectory of v. We shall also 
sometimes use the notation / = v~e. 


33 



Finally, it is also clear from the earlier discussion that if s G E* is a trace of some 
trajectory e of a process, then every prefix t of s is also a trace of a trajectory of the process. 
(A string t G E* is a prefix of s if there exists r G E* such that t~r = s, where as before, — 
denotes concatenation. The empty string e is a prefix of every string.) 

12.2 Termination 


We turn now to a discussion of various aspects of process termination. The simplest way 
in which a process can terminate is if it can undergo no further state changes. Specifically, 
suppose that a process possesses a trajectory (if, AT) with X — E. That is, after executing 
the string if, the process refuses every event in its alphabet. The process then terminates 
by necessity, since no further event executions are physically possible. If this is the case we 
say that the process has reached deadlock. 

However, processes can terminate in another way as well. Suppose we assign our process 
tasks to be completed. We can then say that the process terminates successfully whenever 
it completes a task. Successful termination is, of course, a legislated property (rather than 
a physical one) and is, in general, not accompanied by deadlock. We identify successful 
termination with the execution of a prescribed set of execution strings. Specifically, we 
introduce a special termination symbol ft into our process alphabet as follows. If if is a 
successfully terminating execution string, we define the associated trajectory to be (if, {-11-}), 
where ft indicates the successful termination. Thus, the set {41} assumes the role of the 
refusal set in the trajectory, and we apply to it the convention that it is a stand-alone symbol, 
that is, either {4}} = X or ft£ X. We denote the alphabet extended by the termination 
symbol E U {ft} by E t , and the set of observations that include the possibility of successful 
termination by O t := (2 E ‘ x E)* x 2 Et (= 2 Et x (E x 2 Et )*)- We shall also use the notation 
£[ and £[ for (2 E ‘ xE)* and (E x 2 St )*), respectively. 

12.3 Divergence 

One further form of process behavior that we want to model is a catastrophic form of 
termination that is called divergence. By divergence we intuitively mean that the process 
has become completely chaotic and unpredictable in its behavior. This can occur as a conse- 
quence of inadequate observability, for example when the process can undergo an unbounded 
sequence of unobservable state transitions. Alternatively, it might conceivably occur as a 
result of process failure. Since divergence cannot be finitely observed, i.e., there does not 
exist a finite experiment that can determine divergence, a special divergence symbol ft is 
introduced into the process alphabet to indicate that divergence has occurred. We denote 
the alphabet extended by the divergence symbol E U {ft} by E^, and the set of observations 
that include the possibility of divergence by Od := (2 Ed x E)* x 2 Ed (= 2 Ed x (E x 2 Ed )*). 
We shall also use the notation £ l d and £ d for (2 Ed x E)* and (E x 2 Ed )*), respectively. A 
trajectory 


(A 0 ,( < j 1 ,X 1 )...(cr fc ,X fc )) 
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will then be called chaotic ( non-chaotic ) if there exists (respectively, does not exist) j : 0 < 
j < k such that ftG Xj. A chaotic trajectory is called divergent if it has no proper prefix 
which is also chaotic. If e is a divergent trajectory, we define the divergence of e by 

div(e) := {e~v | v G calE r d } 

12.4 Specification Models 

We shall now turn to formalize the concept of a process. Intuitively we identify a process 
with its behavioral specification, that is, with the set of all its possible trajectories. This 
leads us to the definition of an abstract object called a process as follows. Let E denote the 
process alphabet and let T,td denote its extended alphabet, that is, = E U {jj^, ff}. 

Definition 12.1 A (discrete event) process P is a subset P C O t d := (2 Etd x E)* x 2 E ‘ d (= 
2 Sw x (E x 2 Sw )*) satisfying the following conditions: 


(Cl) (e,0)€P 

(C2) ((X 0 ,a l ){X u <j 2 )...(X k _ 1 ,a k ),X k ) e P ^ 3j : 0 < j < k - 1 ;cr i+1 € Xj => 

((Xo, Hi) . . • (Xj-u <Jj),Xj U {IT}) € p 

(C3 ) e = (w,X) G P => cl(e) C P 

(C4) (w,x)ePk{ty}^x =*WX 

(C5) ((X 0 ,cT l )(X 1 ,<j 2 )...(X k - l ,a k ),X k )<EP klj: (0 < j < k - 1) ; X,- =► 
((Xo^O-.^^^uftHeP 

(C6) ((X 0 , o’ 1 )(X 1 , cr 2 ) . . . (Xfc-i, (Jfc), Xfc) € P & ct € E — Xj, 0 < j < k, & 

((-^Oj cn)(Xi,<7 2 ) • • • (Xj-i, &j)(Xj, cr),0) ^ P 

((Xo, (J\) . . . (Xj- 1, CFj)(Xj U {a}, <Tj+i) . . . (Xfc_ i, (Jfc), Xfc) G P 

(CT) e = (w,X) € P & X =» (^u,r) G P. V(u,T) G O td 

Condition Cl states that the null trajectory is in every process. Condition C2 states that ail 
trajectories of a non-divergent process must be valid. Condition C3 states that a process is 
a closed family of trajectories. Condition C4 states that the termination symbol is a stand- 
alone symbol. Condition C5 states that a proper prefix of a trajectory in a non-divergent 
process is always nonterminating, implying that once the termination symbol appears, no 
further events can be executed (unless the process diverges and becomes chaotic). Condition 
C6 states that if an event is impossible it will be refused. (It is worth remarking here that in 
nondeterministic processes events need not be impossible to be refused.) Finally, condition 
C7 states that once a process diverges it becomes chaotic forever, or in other words, if e G P 
then div(e) C P. 
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We shall denote the class of all processes (in Otd) by Pe^. Similarly, we shall denote the 
class of all divergence-free processes (i.e., processes in Ot) by the class of nonterminating 
processes (in O d ) by P Sd , and the class of divergence-free and nonterminating processes (in 
Ot) by Pc. 

The set of all traces s G such that s — tr(e) for some e G P, where P G PE td is a 
process, is called the language generated by P and is denoted C(P). By condition C3 of the 
above definition it follows immediately that C(P) is (prefix) closed. 

Theorem 12.1 The union of a nonempty set of processes in is a process. 

Proof. Let V be a nonempty set of processes and let P = UX>. Then 

{w,X)eP^BQeVs.t. {w, X) g Q 

It must be shown that P satisfies conditions Cl to C7 of Definition 12.1. We shall prove 
condition C6. Thus, let 


e := ((X 0 , 0i)(Xi, a 2 ) • • • (Xk-u °k), X fc ) G P 
and assume that for some jf, 0 < j < k , and some o G £ — Xj, 

e! := ((Xq, cr!)(Xi, a-f ) . . . [Xj _ \ , cr), 0) ^ P 

By definition of P it follows that 3Q G T> such that e € Q and e! £ Q. Since Q is a process, 
it must satisfy condition C6 so that 

e := ((Xq, <Ti) . . . (Xj_i, ) (X^ U {cr } , Cj+i) . • • (X/e-i, cr^), X^) G Q 

Thus it follows that e G P and condition C6 follows. The remaining conditions are quite 
straightforward. 

Let P be a process and let Q be a set of trajectories of P. We shall call Q a generating 
set or generator of P and write P — gen{Q) if 

P = U c/(e) (78) 

e€<? 

Below are a number of interesting and useful process examples. 

Example 12.1 [The Null Process A f] This is the process that has no nonempty trajectories 
by virtue of the fact that it is initially successfully terminating. It is given by 

Af = gen((e , {j|})) (79) 
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Example 12.2 [The Deadlock Process A.] This is the process that has no nonempty 
trajactories by virtue of its initial deadlock. It is given by 

A = gen((s, £)) (80) 

Example 12.3 [The Divergence Process V.] This is the chaotic process that diverges from 
the start. It is given by 

V = O td (81) 

Thus, the process V includes every process in V t d- 

12.5 Postprocesses and Transitions 

Let P be a process and let It; be a left execution string of P, that is, e = (w, 0) € P. A 
process Q is called a w-postprocess of P if 

Q Q {(i/,X)|(uTv,X) € P} (82) 

It is easily verified by checking the conditions of Definition 12.1 that the right hand side of 
(82) is itself a process.The process Q for which (82) holds with equality is called the supremal 
w-postprocess of P. We denote this process by P/w , that is, 

P/w = {(v,X)|(t<A;,X) € P} (83) 

For two (left) execution strings v and w , we then have 

(P/v)/w — P/v~w (84) 

The above discussion allows us to interpret condition C7 of Definition 12.1 as a postprocess 
condition. Specifically, the condition states that if (w,X) € P and fte X, then P/w = V, 
that is, the postprocess after occurrence of divergence is the divergence process. 

A process transition for an execution string w , denoted is a relation on Ps td , the set 
of ^-processes, defined as 

P^Q & QC P/w (85) 

We say that process P undergoes transition to process Q along the execution string w if Q 
is a w-postprocess of P. 

The following properties of postprocesses and transitions follow easily: 

Proposition 12.1 P A Q & Q A R =$■ P^-X R 
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Proof. By (82) 


P^Q ^ QC {(w,X):|(tnt/,X) € P} 
Q A R <^> RC {(w, Y)\(irw, Y) G P} 


Hence 


(w, Y) 6 R => (iTtu, V) € Q =>■ (vPv^w, Y) 6 P 
Upon applying (82) again we obtain P^-> R as claimed. 

Proposition 12.2 P^~> R => 3 Q . P ^ Q h Q R 

Proof. By (82) we have 


P u ^ R RC{(w,X)\(vPv~w,X)€P} 

Defining Q := {(y,X)\(vPy,X) € P} , it follows directly from (83) that Q = P/u so that 
P Q' To conclude the proof, we need to show that Q A R. This is equivalent to showing 
that 


R C {(w, X)\(v~w, X) G Q} 

Indeed, let (w,X) G R. Then, by hypothesis, we have (iTv~w,X) € P or, alternatively, we 
have (vr(rTw), X) € P. But Q = P/u so that (tTw), X) G Q and the proof is complete. 

Definition 12.2 A process P is called Q-stuttering for a subset © G £ if for any trajectory 
e = ((*„, erf ) . . . (X,-_ lf <Jj ) . . . (X fc -i, ff fc ), X fc ) G P 
such that Oj € ©, it follows that 

e=((X 0 , a,) . . . . . . (X*-i, a k ), X k ) € P 

for all k > 0. 

The following Proposition is an easy consequence of the above definition: 

Proposition 12.3 Let P be a ©-stuttering process and let w be a left execution string of 
P. If for am©, w widehat (X,cr) is also a left execution string of P, then for all k > 0 

P/vr(X,a) k = P/w 
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12.6 Nondeterminism 


Intuitively, process nondeterminism occurs when a process undergoes ‘silent’ or unob- 
servable transitions and its behavior cannot be completely determined from its trace history. 
Thus, if P is a process, we are interested in the possibility of the process undergoing changes 
along the empty execution string. 

Let Q be an e-postprocess of a given process P. Then 

Q c P/s = {K X) I (w, X)eP} = P (86) 

and it follows that Q is an e-postprocess of P if and only if Q C P, that is, if and only if Q 
is a subprocess of P. We can then write 

P-^Q & PDQ (87) 

It then follows immediately that -A induces a partial order on processes, that is, 

PAP 

P-^QkQ^P &P = Q 

P-^QkQ-^ R =» P-^R 

We shall denote the partial order -A by the more conventional notation C. Thus, 

PEQ^P-AQ^PDQ (88) 

and we say that P is more nondeterministic than Q. 

Definition 12.3 A set of processes V is called directed if for each pair Qi,Q 2 G V there 
exists a process R € V such that Qi C. R h Q 2 E R- 

Theorem 12.2 The intersection of any directed set of processes is a process. 

Proof. Let V be a directed set of processes and let P := C\V. Then 

(w,x)eP & v q zv .(w,x) eQ 

To show that P is a process it is necessary to prove that it satisfies conditions C1-C7 of 
Definition 12.1. Conditions C1-C5 as well as condition C7 hold for the intersection of any 
set of processes. We shall prove condition C6 which requires also the directedness property. 

Suppose 


e = ((A 0 , ^(Xi, <r 2 ) • • - (ATfc_i, (jfc), Xfc) G P 
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and for some j, 0 < j < k, and some a E E — Xj, 

e' = ((X 0 , ^(Xi, <r 2 ) . . . (Xj-u crj)(X jt a), 0) £ P 

Then e € Q for all Q E £> but for some process Qi E P, e' ^ Qi- Now condition C6 will 
hold for P unless there exists some process Q 2 E P such that 

e = ((X 0 ,Oi) . . . (Xj-i,aj){Xj U {a},a j+ i) . . . (X fc _i, cr fc ), X fc ) £ Q 2 

However, by the directedness of P, there is a process R E P such that Q 1 ► R and Q2 R 

so that R C Qi Pi Q 2 - It then follows that e € R, e' £ R and e & R, contradicting condition 
C6 for R . This violates the assumption that Q 2 exists and the proof is complete. 

Let V be a directed set of processes. Then for each process P E P, P Q CCD. Thus, the 
process f)P is the least upper bound of V and is denoted UP. By definition of UP we then 
have that 


VQ € V . Q C V (89) 

Note that U V need not be an element of V. 

An infinite sequence of processes {Pi | i > 0} is called a chain if it satisfies the condition 

that 

Vi . Pi C P i+ i 

Clearly a chain of processes is a directed set and the least upper bound of the chain UP* is 
then called the limit of the chain. 

Theorems 12.1 and 12.2 imply the following important 


Proposition 12.4 The partial order (Pe w) Q is a complete partial order (cpo). 


The following fact is also important. 


Theorem 12.3 Let T> be a directed set of processes. Then 

U R 4* VQ EV . <2 A R 


Proof. By (85) 
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U V^R ^ RC{(v,X)\{w~v,X)€UV} 

= {(v,x)\(w~v,x)en Q} 

& \/Q £V . RQ {(v,X)\{uPv,X) £ Q] 

& VQeV.Q^R 

Consider now a process P and let P r denote the subset of P consisting of all free 
trajectories of P, that is, all trajectories {w ) 0) € P for which w has the form 

w = (0, <Ti) (0, cr 2 ) • • • (0,0fc) ( 90 ) 

Thus, each free trajectory of P can be identified with its associated trace s, 

s = <7i . . . (Jk (€ £*) 

and it is not hard to see that we can identify the set Pr with £(P), the language generated 
byP. 

We turn now to the inverse question. Let S be a prefix closed subset of £* . Do there exist 
processes P such that £(P) = 5? More specifically, how can such processes be constructed? 

Definition 12.4 A process P is called deterministic if for every trajectory (w, X) £ P and 
any a £ £ 

(uT(A»,0) £P {w } XU{a})eP (91) 

Thus, a process is deterministic whenever events are refused if and only if they are impossible. 
It is worthwhile to compare (91) with condition C6 of Definition 12.1 where it was only 
required that impossible events are refused. 

Now let S be a prefix-closed set of traces and define det(S) to be the set of trajectories 
obtained by the following inductive procedure: 

(e, 0) £ det(S) (92) 

and if e = {w,X) £ det(S) and a £ £, then 

(w,X U {cr}) £ det(S) ^ tr(e)~a S (93) 

(uT(X, <r),0) £ det(S) tr(e)~cr £ S (94) 

It is readily verified that det(S) is a process. To this end it is necessary to show that the 
conditions of Definition 12.1 are satisfied. Again, let us examine condition C6. Consider any 
trajectory 

(pr 0 , <h){X u <t 2 ) . . . (X k _ u a k ), X k ) 6 det{S) (95) 

and let j, 0 < j < k, and cr £ 2 — Xj be such that 

((*o, <Ti ){x u a 2 ) . ■ • (Xj-u crMXj, a), 0) 0 det(S) (96) 

Since by our construction 


41 



((*o, <M(Ai, * 2 ) ■ • • (Xj-u Cj), Xj) 6 det(S) 

it follows from (93) and (94) that 

{(Xo ,<Ti)(X u a 2 ) • • • (^-i,^)^ U M,a i+1 ),0) € det(S) (97) 

It is now not hard to show now with repeated use of (93), (94) and (95) that (97) implies 
that 

((*0,<Ti) • ■ • (Xj-uCj) . . . (Xj U {a},<jj + i) . . . (X k -u<T k ),X k ) € det(S) (98) 

and condition C6 is establishd. The other conditions of Definition 12.1 are also easily verified. 

Next examine conditions (93) and (94) and observe that exactly one of their right-hand- 
side conditions must always hold. This implies that exactly one of the trajectories in (93) 
and (94) is in det(S) and that condition (91) is satisfied. Hence, det(S) is deterministic. In 
fact, have shown the following 

Proposition 12.5 Let S be a prefix-closed set of traces. Then the set of trajectories det(S) 
is a deterministic process such that C(det(S)) = S. 

An interesting deterministic process is given in the following 

Example 12.4 (The ‘All’ Process A). This is the deterministic process that at each 
instant can execute any event in E 

A = de£(E*) (99) 

It is not difficult to verify that A = Ar, that is, A consists only of free trajectories. 

We also have the following important 

Theorem 12.4 Let 5 be a prefix-closed set of traces and let P be any process such that 
C(P) = S. Then det(S) C P. 

Proof. We must show that if 

e = ((A'o,o’i)(Xi, ct 2 ) • • • (Afc_i,<Jfc), X k ) 6 det(S) 

then e G P. Now we know that tr(e) £ 5, whence the trajectory 

((0,a 1 )(0,cr 2 )...(0,cT fc ),0)£P 
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Let j, 0 < j < k, be the first index such that 

((*o, <Ti) • • • (Xj,a j+1 )(<D, a j+2 ) ... (0, a k ), 0) £ P (100) 

Then there exists a proper subset V C Xj such that 

((Xo,*i) • • • (Xj_ u Oj)(Y,a j+l )(<b,<7j +2 ) • • • ( 0 , tr k ), 0) € P (101) 

and an event symbol x € Xj — Y such that 

((X 0 , at ) . ■ , (Xj.ua j)(Y U {x}, <r j+1 )(0, cr j+2 ) ... (0, <J k ), 0) <t p (102) 

From condition C6 of Definition 12.1 it follows that 

((X 0 , at)... (Xj-uVjW, a), 0 ) € P (103) 

This implies that the trace <J \ . . . OjX € S and we must conclude from (93) that 

((X 0 ,<7i)...(Xj_ 1 ,<7j),y U {*}) <?det(S) (104) 

contradicting our assumption. This concludes the proof. 


An important consequence of the above theorem is that the set of all processes whose 
trace set is S' is a directed set. Thus we have the following interesting corollaries to Theo- 
rem 12.2: 

Corollary 12.1 Let S be a closed subset of E*. The set of processes C(S) such that 

P £ C{S) & C(P) = s ( 105 ) 

is directed. 


Corollary 12.2 Let S be a prefix-closed set of traces and let V be a set of processes such 
that P £ V if and only if C(P) = S. Then f)V is a process. 

The following corollary tells us that if a process is deterministic it cannot undergo silent 
or unobserved changes. 


Corollary 12.3 det(S) R => det(S) = R 

Proof. Since, by (87), R C det(S), we must show that det(S) C R. By Theorem 12.4, 
det(£(R)) C 7?, whence the proof will be complete if we show that det(S) C det(C(R)) or, 
equivalently, that S C R T . 
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We proceed by induction on trace length. For e this is obvious and assume the inclusion 
holds for all traces of length up to and including n. Let s = cq . . . cr n <7 n+ i E S. Then, 
by hypothesis, t = ai...a n € C(R) and the trajectory ((0,<7i) . . . (0,a n ),0) € R. If s & 
C(R ), so that the trajectory ((0,<ri) . . . (0,<Xn)(0,tf«+ 1),0) 0 then from condition C6 of 
Definition 12.1 we conclude that the trajectory ((0,0i) • • • (0,o‘n)> {^n+i) is i n R aR d hence 
also in det(S). But this is impossible because it contradicts Equation (93) defining det(S). 
It follows that s E C(R). 

The following corollary tells us that deterministic processes always remains determinis- 
tic. 

Corollary 12.4 det(S) — ► R =>■ R = det(C(R)). 

Finally, we have the following 

Corollary 12.5 det(S) -^RSzR^S^R — S 

12.7 State Transition Graphs 


In this section we shall show how we can construct for a given process P an associated 
state-space (or state-set) and a corresponding state-transition graph gr(P). 

Let P be a process. We define a relation < on P as follows. For trajectories e, / € P 
we shall say that / < e if / € comp(e). (Recall that if e — (X 0 , (oi,Xi) . • • (flfc, AT fc )) an( l 
/ = (y 0j (p u Yi ) . . . Yi)) are trajectories of P, then / € comp(e) provided k = l, Pi = Oi 
for alii = 1, . . . , fc, and Y { C X { for all i = 0, — , k.) It is readily noted that the relation 
< is a partial order. Let M(P) be the set of all maximal elements of P with respect to <. 
(An element e 6 P is maximal [30] if for all / E P, e < / => e = f .) It is clear that 
Af(P) is a generating set of P and we shall next see how we can construct from A i{P) a 
state transition graph gr(P). We remark at this point that when P is not a finite set of 
trajectories, then the present construction will not yield a finite state-transition graph (even 
when one exists). We shall deal with the finiteness question later in connection with regular 
processes. 

Let M(P) := pref(M{P)). We identify the state-set of the process P with the set 
of all trajectories of M(P) and shall construct its state-transition graph by induction on 
trajectory length as described below. 

Algorithm 12.1 Let M(P) 0 be the set of all traje ctories of length zero in M(P) (again 
partially ordered by <), and with each trajectory of M(P) 0 associa te a dis tinct state of P , 
i.e., a node of gr(P). For every distinct pair of trajectories e, / € M(P) 0 draw an arrow 
labeled e (to denote an e-transition) from e to / provided e < /. If the minimal set of 
A4(P) 0 , i.e., the set of all <-minimal elements, consists of a single state, it is called initial 
(An element e € M(P) 0 is minimal if for all / 6 M(P) Q , / < e => e = /.) Otherwise add 
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one more state which we call initial, and draw an arrow labeled e from the initial state to 
every state in the minimal set. 

Suppose now that the state transition graph has be en co nstructed for all trajectories of 
length 0, . . . , k - 1. Let M{P) k denote the subset of M(P) consisting of all trajectories of 
length fc, and proceed as follows. 

(i) Choose a new trajectory e € M(P) k _ v If no new trajectory exists go to step (viii) 
below. 

(ii) Test divergence of e. 

(1) Let X e denote the final refusal set of e. 

(2) Choose a new symbol a € X e . If no new symbol exists, go to step (iii). 

(3) Let M(P) k e denote the subset of M(P) k consisting of all trajectories of the 
form e~(<7, X k )- 

(4) If M(P) k e a = 0, go to step (2). Otherwise label the state e with a ft symbol to 
denote divergence and go to step (i). 

(iii) Choose a new symbol a 6 S - X e . If for the given trajectory e no new symbol exists 
go to step (i). 

(iv) If MiP) k e a = 0 go to step (iii). 

(v) With each trajectory in M(P) k associate a distinct node of gr(P). 

(vi) For every distinct pair of trajectories / and g in Xi(P) k e a draw an arrow labeled e (to 

denote an e-transition) from f to g provided / < g. If the <-minimal set of M(P) k e a . 
consists of a single state, draw an arrow labeled o from e to this state. Otherwise add 
one more state, draw an arrow labeled cr from e to this new state and an arrow labeled 
e from this state to every state in the minimal set. 

(vii) Go to step (iii). 

(viii) End of algorithm. 

Example 12.5 Let the event set be given by £ = {a, 6, c}, and let the process P be given 
by 


P = gen < 


({6},(c,{c})(Ma,6,c})) 
({6},(c, {&, c})(o, {a, 6, c})) 
({a, bj, (c, {a, b, c})) 
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Figure 13. 

The process transition-graph is obtained as: 

Algorithm 12.1 always generates a loop-free state-transition tree as transition graph of 
a process, which is generally not finite unless P is finite. We turn now to characterization of 
regular processes (much in the spirit of regular languages) and will show how to construct 
finite state transition graphs for such processes. 

Let P be a process over a finite alphabet £ and consider again the set A4(P) of <- 
maximal trajectories. A trajectory e = (Xq, (<xi, Xi) . . . (cr*:, Xfc)) € M(P) is called terminal 
if X k = £. A trajectory e € M{P) is said to be recurrent if there exists a right execution 
string v € S r such that 

eVGM(P) V j > 0 (106) 

where v j = . . . ~v (j times). If e is a recurrent trajectory, we call a (right) execution 

string v a recurrence of e if it satisfies (106) above, and there is no proper prefix of v that 
does so. Further, we let V(e) denote the set of all recurrences of e, we let V*(e ) be the set 
of all execution strings w of the form 

w — (107) 

where v il1 ... ) v il € V{e), and j u . . . , ji > 0 Finally, if e is recurrent, we define rec(e) as 

rec(e) := e~V*(e)* := L Lev^e)^ ( 108 ) 
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13. OPERATORS ON PROCESSES 

13.1 Continuity and Fixed Points 

In this section we summarize some standard results on continuity and fixed-points of 
functions on cpo’s that are necessary for establishing the soundness of recursive processes. 
Recall that we are concerned here with the partial order (Pe w , Q- A function / : V^ td — ► 
V-z td is said to be monotonic if it respects the partial order relation, that is, / is monotonic 
if and only if for all P, Q € V^ td 

PQQ =*■ /(P)C/(Q) (109) 

A function / is said to be continuous if it preserves least upper bounds, that is, if for every 
directed set of processes P , 

U /(P) = /( UP) (110) 

A function / : — > V^ td in n arguments is monotonic (respectively, continuous) if it is 

monotonic (respectively, continuous) in each argument separately when all other arguments 
are held constant. An immediate consequence of the definitions is that continuity implies 
monotonicity. In fact, the precise connection between monotonicity and continuity is given 
by the following 

Proposition 13.1 The function / is continuous if and only if / is monotonic, and for every 
directed set of processes P, L 1/(2?) C /(UP). 

Proof. Suppose / is continuous. Then the only claim that is not obvious is that / is 
monotonic. Let P C Q. Then P = {P,<2} is a directed set and UP = Q. By continuity, 
U /(P) — f(UV) = f(Q ), whence f(P) C f(Q ), establishing monotonicity. 

Conversely, assume that / is monotonic and that for every directed set T>, VAf{V) C 
/(UX>) holds. To prove continuity, it remains to show that monotonicity implies the reverse 
inclusion, that is, /( UX>) C U f{T>). To this end assume that e ^ U f(V). Then there exists 
P e V such that e ^ /(P). Since /(LIP) C f(P) by monotonicity of /, it follows that 
e ^ /(UP), concluding the proof. 

The above proposition provides us with a fairly manageable definition of continuity. A 
condition which is frequently even easier to verify is provided next. A function / on processes 
is said to be pre-image finite if for every trajectory e, / -1 (e) is finite (i.e., consists of a finite 
number of trajectories). We then have the following 

Theorem 13.1 The function / is continuous if it is monotonic and pre-image finite. 

Proof. Since by monotonicity /(UP) C U/(P), we must show that the pre-image finiteness 
property implies that for every directed set P, 

U/(P) C /(UP) 
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holds. Consider some e ^ /( LTD). Then / -1 (e) fl (LTP) = 0. Since / _1 (e) is finite and Z> 
is directed, there exists a process P € V such that / _1 (e) fl P — 0, whence e ^ /(-P). But 
then, since Uf(P) C f(P), it follows that e 0 U /(P), concluding the proof. 

We turn now to the main purpose of the present discussion, namely to the existence of 
fixed points and their computation. Let / : V?, td — 1 ► P^ td be a function. A fixed point of / is 
then a process P such that f{P) = P. The following Theorem establishes the existence of 
fixed points: 

Theorem 13.2 (Knaster-Tarski). Let / : Vy, td —► P^ td be a monotonic function. Then / 
has a least fixed-point pf (or p(p).f(p)) in P Ew . If / is also continuous, then fi( p).f(p ) can 
be represented as 

MP)-/(P) = U{/"(V) | n > 0} (111) 

where V is the divergence process (the least element of (7 3 e w , ^)). 

Theorem 13.2 allows us to define recursive processes , that is, processes defined as least fixed- 
point solutions to recursive equations of the form 

P = f(P) (H2) 

where / is a continuous function on processes. The process P is then given by pf of (111). 
If Q is any other solution of (112), then P C Q, that is, P is the most nondeterministic 
solution of (112). (It follows of course immediately that if P is deterministic it is also uniqe.) 

Finally, we remark that a construction similar to the above can be applied to processes 
defined by mutually recursive equations such as 

a = /i(A,...,/v) i = i,...,N (ii3) 


13.2 Prefix Construction and Choice Operators 

Let Q € V^ td be a process and let o € E be an event symbol. We define the process 

P := (* - Q) (114) 

by 

P = (a^Q) - {(e,X)|X'CE-M} 

U {((Y y arw,X)\YCZ-{a} } {w,X)eQ} (115) 

To see that P as given by (115) is a well defined process, we must verify that it satisfies 
all the conditions of Definition 12.1. Let us focus attention on conditions C2 and C6 (the 
other conditions are straightforward). To see C2, note that if 

e = ((Ao,<Ji) . . . (ATfc_i, a*;), Xk) € P 
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then by (115), a x = a and X 0 C £ - a whence a l <£ X 0 . For j > 0 condition C2 holds by 
virtue of the fact that it holds for Q. To see that condition C6 holds, it is again enough 
to consider the case j - 0. (We shall use here right representation of trajectories). Let 
(X 0 ,w) € P and let e = (X 0j (/x, 0)), p <£ X 0 . Then e 0 P implies that that /x ^ and 
hence, by (115), (X 0 U {p},w) e P. Thus the process P is indeed well defined as claimed. 

The construction (114) is called the prefix construction or the prefix operator and we 
have the following 

Proposition 13.2 The prefix operator is well defined. 

For any Y C £ - {<r}, it then follows that Q = P/(Y,a). If we choose Y = 0, we can, in 
particular, write Q = P/(0,cr), which, upon identification of the execution (0, a) with the 
event symbol cr, becomes 

Q = P/a (116) 

We interpret the process (a -* Q) as the process that first executes the event a and then 
proceeds like Q. Thus, we can define the process P as 

P = {a^ P/a) (117) 

and for an execution string w 6 Q we can write 

Q/w = {a — ► Q)/a~w (118) 

where cA v = (0, afipj. If the process Q makes silent transitions, then so does also the process 

(a — * Q) and it follows that 

Q J, Q' (c -* Q) A (a -» Q') (119) 

By Theorem 13.1, the prefix operator is continuous if it is monotonic and pre-image finite. 
Both of these properties are obvious from the definition, whence we have 

Proposition 13.3 The prefix operator (a — *• •) is continuous. 

An example of a process built with the prefix construction is 

Example 13.1 [The process ( a — > A)]. This process is (see example 12.2 and the defining 
expression (115) above) 

(a -> A) = {(e,X) |ICS- {a}} U {((E, o^X) \ Y C £ - {a} , X C E} 

= pen((E - (a},a),E) 
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The prefix construction can be parameterized as follows. Let A C T> be a subset of 
event symbols and for each a € A, let Q(a) be a process. Then we define the parameterized 
prefix process 

(a:A~* Q(a)) (120) 

as the process that for any event a € A first executes the event a and then proceeds to 
execute Q(a). It is given by 

(a : A - Q(a)) = {(e,X) | X C £ - A} U 

{((Y, a)~w, X) | a 6 A, Y C £ - A, (w, X) e Q{a)} (121) 

(Notice that the event a is a bound variable in the above expression.) As before, if Q(a) 
makes silent transitions, so does the process ( 120 ), that is, 

Q{a ) Q'{o) (a : A — * (3(a)) (a : A —> Q (a)) (122) 

In the process (121), the selection of the first event a G A is deterministic, that is, 
completely controlled by the environment. Furthermore, upon selection of the event a £ A, 
the specific process (a — ► Q(a)) is completely determined. This leads us to an important 
interpretation of the parameterization of the prefix construction. Consider, for simplicity, 
the case where A = {ai,a 2 }. For each <Ji, the process (a i — + Q{&i)) is given by (115), and 
the parameterized prefix construction is given by (121). It is then easy to check that the 
following holds 

(?i : {<Ti,cr 2 } -* Q{?i)) = 

(e e (ai Q(<Ti)) u (<7 2 -> Q{° 2 )) I 

prefo(e) € (<7i — ► <3(ai)) fl (<72 — > ► Q[^2))} (123) 


Thus, the parameterization of the prefix construction can be interpreted as an operator 
on processes that deterministically selects a process from a specified class of processes through 
the execution of the first event. We call this operator the external choice operator and denote 
it by the addition symbol +. Thus for two processes (<7i — + Q(a 1 )) and ( a 2 — > ► < 3 (^ 2 )), we 
can write 

{di — * Q(ai)) T (o~2 — ► < 3 (^ 2 )) := (a* : {ai,a 2 } y Q(o'i)) (124) 


The external choice operator can be extended to processes that do not necessarily have 
disjoint initial events. For two arbitrary processes P and Q, the external choice operator is 
defined as, 


P + Q 



{e € P U Q | pref 0 (e) € (Ff I <3)} 
V 


if PUQ^V 
otherwise 


(125) 
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Thus, the process P + Q can initially refuse only events that can be refused by both P and 
Q and afterwards evolves either to P or to Q, unless one (or both) of the processes diverges 
from the start, in which case so does also the process P + Q. The important point is that 
at the start, the composite process has externally available all events that are externally 
available to either of the individual components unless one or the other diverges. The choice 
of initial event can thus be decided by the environment whenever it can be decided by the 
environment in the component processes. 


Proposition 13.4 The external choice operator is well defined and continuous. 


The external choice operator is easily seen to be idempotent, 
with the process A serving as unit and the process 


P, Q and R we have, 

P + A 
P + V 
P + P 
P + Q 
(P + Q) + P 


commutative and associative, 
V serving as a zero, that is, for processes 

= P 


V 

(126) 

p 


Q + P 

(127) 

P + (Q + P) 



By Theorem 12.1, the union R of two processes P and Q is a process. The process R 
can initially either refuse events that can be refused by P or events that can be refused by Q 
but the choice cannot be influenced by the environment. We interpret this choice as being 
determined internally in the process by a completely nondeterministic mechanism. We call 
this choice the internal choice operator , denoted ©. Thus, for processes P and Q , we define 

P©Q:=PUQ (128) 

Obviously, just as the operator +, the operator © is also idempotent, associative and com- 
mutative, and has V as the zero. However, it does not have A as its unity. It is interesting 
to observe that, in view of Equation (87), R = P © Q implies that R P and R Q, 
namely, both P and Q are e-postprocesses of R. Indeed, operationally, R is precisely the 
process that either makes a silent transition to become P or it makes a silent transition to 
become Q. As a special case of the above, we have 

P = P © Q 4 * p 1+ Q 4 * pnQ (129) 

Proposition 13.5 The internal choice operator is continuous. 

Consider now the case when we have two prefix processes P = (a — ► P)) and Q = 
(a — * Q ) and let R — P © Q. The first event of the process R is the event a, after which it 
evolves either to P or to Q but the choice of whether, after the execution of a, the process 
R behaves like P or like Q is not specified by the process and, thus, cannot be influenced 
by the environment. The above is a special case of the following proposition which is an 
immediate consequence of the definitions of the operators + and ©. 
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Proposition 13.6 Let P, Q e 'Pr. tJ be processes such that (X, e) € P if and only if (X,e) 6 
Q. Then P + Q = P®Q. 

Corollary 13.1 Let P,Q € Ps id be processes. Then 

(a — > P) + (a — ► Q ) = (n — * f 5 ) © ( a + Q) 

(a -> P) + (a -► Q) = (a — P®Q) 

We also have the following distributivity laws for + and ©. 

Proposition 13.7 Let P, Q and R be processes in Pe w . Then 

(P + Q)@R = (P®R) + (Q@R) (130) 

(P®Q) + R = (P+R)®(Q + R) 

Proof. We shall prove the first distributivity law. The second one follows similarly. 

{P + Q)®R = 

= (P + Q)UR 

f {eePUQURlpref 0 (e)e((PnQ)UR)} ifPUQ^V 

~ 1 Vu/( otherwise 

( {ee(PUR)U(QUR)l pref 0 (e) 6 ((P U R) n (Q U R))} if P U Q ^ V 

- \ V otherwise 

I {e€(PUR)U(QUR)lprefo(e)€((PUR)n(QUR))} if (P U R) U (Q U R) f V 

- ( v otherwise 

= (P © R) + (Q © R). 

The third equality above follows from the fact that if R = V, the condition pref 0 (e) € 
((P U P) fl (Q U R))} is obviously always satisfied. 

An immediate consequence of the above discussion is the following. Let A, B (E £. Then 
{a : A P(a)) + (6 : B -+ Q(6)) = (c : A U P -> R{c)) 

where 

P(c) - P(c) if c€ A- B 

- Q{c) if c€ B - A 

= P(c)©Q(c) if ceAnB 
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Also 


(a : A — > P(a)) © (a : A — *■ Q{a)) — (a : A — > P(c) © Q(a)) (131) 

As a further illustration of how the operators + and © differ from each other, consider 
the following example. 


Example 13.2 Let £ = {a, 6} and define the processes P = (a — ► A) = gen(({b}, a), {a, b}) 
and Q = {b -+ A) = 0en(({a},6), {a, 6}). We can obtain a variety of composite porocesss 
from P and Q by using the external and internal choice operators as follows: 

P + Q = pera{(( 0 ,a), {a, 6}), ((0,6), {a, 6})} 

P©Q =2en{(({6},a),{a,6}), (({a}, 6), {a, 6})} 

(P + Q)©P = #en{(( 0 ,a), {a, 6}), (( 0 , 6), {a, 6}), (({6}, a), {a, 6})} 

(P + Q )©<2 = ^en{(( 0 , a), {a, 6}), (( 0 , 6 ), {o, 6}), (({a}, 6), (a, 6})} 


The above example is a special case of the following summary of the possible ways choice 
between two processes can be exercised. We express the different choice operators in a 
symmetric fashion to emphasize the distinctions. 


Proposition 13.8 

P®Q = 

(P + Q)©P=(P©Q) + P = 
(P + Q) © Q — (P © Q) + Q = 
P + Q = 


(e e (P u Q) I prefo{e) € P U Q} 

V 

{e € (P U Q) | pref 0 (e) € P} 

V 

{e € (PU Q) |pre/ 0 (e) € Q] 

V 

{eG(PUQ) | pref 0 (e) € P D Q} 

V 


ifPUQ^V 

otherwise 

ifPuQ^V 

otherwise 

ifPuQ^ V 
otherwise 

i/PuQ/V 

otherwise 


An immediate consequence of the above proposition is the following 

Corollary 13.2 

P + QC(P + Q)©P = (P©Q) + PCP©Q 
P + QC(P + Q)©Q = (P©Q) + QCP ©<2 


13.3 Parallel Composition 


In this section we introduce the operation of parallel composition. The operator that we 
present here extends significantly the scope of synchronization operators previously proposed 
in the literature. Specifically, our operator can model synchronizations ranging from rigid 
concurrency (with deadlock) to broadcast synchronization [ 41 ] that is deadlock free. It is this 
operation that requires the extended modeling framework developed in the present paper. 
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Let P and Q be processes in Vy. and let A and B be subsets of X, that we call the 
blocking or priority sets of P and Q, respectively. We define now the prioritized synchronous 
composition of P and Q with priority sets A and B , denoted Pa\\bQ > as follows: 


PaWbQ :={g\3eeP, feQ : ge Ml af)} (132) 


where (ca||b/) denotes the set of all successful synchronized interleavings of e and / as 
defined below. We shall also need the following notation: For subsets X, Y € £ define 


S{X,Y) = S ab (X,Y) := 


(x n Y) u (X n A) u (Y n B) if x u Y 

Yltd otherwise 


(133) 


The set S(X , Y ) is a composite refusal set and represents the idea that an event is refused if 
it is either refused by both processes or if it is refused by one process that can block it (i.e., 
the event is in the refusing process 1 priority set). 


The definition of (e^Hjg/) is given inductively as follows: (It will be convenient here to 
use the right representation of trajectories.) 

Definition 13.1 (i) For e = (Xo,e) € P and / = (Vo,e) € Q 

(caWbI) :={(Z,e)\ZCS(X 0 ,Y 0 )} 


(ii) Assume that (e^Hs/) is defined for trajectories 

e = (X 0 ,(<Ji,Xi) . . .(ak,X k )) € P (134) 

f = (Yo i (pL U Y 1 )...(jn i Y l ))€Q (135) 

and let 

e' = e~(a,X k+l )€P (136) 


/' = r(Mm)eQ 


(137) 


Then 


(a) M|| B /') := 

f [g — h~(a, Z) | h € {oa\\bS) & Z C S(X k+u Y l+i )} if o = p, 

| undefined otherwise 

(b) (e' A \\ B f) := 


' {g = h~(a, Z)\he (e A \ \ bD & Z C S(X k+u Y t )} 
\ undefined 


if /-(a, 0) l Q 

and <7 ^ B, or if fte X k 

otherwise 
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(c) (e A || b/') •— 

r {g = hT{\i,Z) | h G {e A \\ B f) & ZC S{X k ,Y l+ 1 ))} 

< 

k undefined 


if 0) £ P 

and p y A, or if ffG Yi 
otherwise 


Before proceeding with our discussion, let us note the following 


Proposition 13.9 For any process P and subsets A,B£Y 


Pa\\bV = V 


(138) 


Proof. Since, obviously, PaIIbX ^ V, we only need to show that the reverse inclusion holds 
for an arbitrary process P. Let / = (X 0 , (cr i, Xi) • • . (0fc> X*)) 6 V be any trajectory. Then 
/ G comp(f*) where f* = (£ td , (cr u T , id ) . . . {a k , E w )) € V. We will be done by showing 
that / G Ml bP), where e = (0,e) G P (arbitrary P). Indeed, by employing (i) above we 
obtain that 

P re fo(f) = (Xo,e) € {eA\\BP re fo{f*)) = {{Z : e) : ^ C 
Proceeding inductively, it is not difficult to see that if we assume that 
P re fj{f) = (X 0| (auXi) . . . ((Jj,Xj)) G ( eA\\Bprefj(f *)) 
then by application of (iic) above it follows immediately (since fte E t d) that 

prefj+i(f) € {eA\\Bprefj+i(f*)) 

We now have the following Theorem: 


Theorem 13.3 The process Pa\\bQ is well defined. 

Proof. We need to show that the conditions of Definition 12.1 are satisfied. First note that 
5(0,0) = 0, whence (0,e) G P a \\bQ and Cl holds. To prove C2, we proceed inductively. 
The condition holds trivially for (e A ||n/), where e = (X, e) and / = (F,e). So assume that 
it holds for (e A || B f) where e and / are given by (134) and (135), respectively. If for some 
i : 0 < i < k 

(X 0 , {a lt X i) . . . (<Ti , Xi U {O'})) € P (139) 

or if for some j : 0 < j < l 

(Vo, (ah, Vi) • • • (Mi. Yj U {#})) € Q ( 140 ) 
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then there is nothing more to show in view of condition C7 of Definition 12.1 (see also 
Proposition 13.9). So assume that (139) and (140) are false for all i and j , respectively, and 
let e'eP and /' € Q be given, respectively, by (136) and (137). Then o £ X k and H $.Yi and 
we need to consider three cases. First, if cr = fi, then a £ Xk U Yi and it follows immediately 
that a £ S(X ky Yi). Thus, C2 holds for (e^lis/')- Next, if a £ B it again follows that 
o £ S(X k , Yi) and C2 holds for (e* aWb/)- Finally, if /i 0 A, then (j, & S(X k , Y{) and C2 holds 
for (caWb/')- This proves condition C2. Conditions C3, C4 and C5 are straightforward and 
condition C7 is proved in a manner similar to the proof of Proposition 13.9. We turn to 
condition C6. Assume that 

g = ( Zq , (aj, Z \) . . . (cy n , Z n )) € {caWbD — PaWbQ 

for trajectories e € P and / € Q where e and / are given, respectively, by (134) and (135), 
and assume further that for some m : 0 <m<n and some a € E — Z m , the trajectory 

(Z 0 , («i, Zi) . . . (a m , Z m )(a,$)) £ Pa\\bQ 

We need to show that the above implies that 

g' = (Z 0 , {ol 1 , Z\) . . . {otm, Z m U {c*}) • • • (<2n> Z n )) G Pa\\bQ 
From condition C3 we know that 

g = (Zq, («i, Zi) . . . (a m , Z m )) € (caWbI) Q Pa\\bQ 
for suitable prefixes 

e = (X 0 , (cr x , X \) . . . (<Ti, Xi)) = (X 0 , w) 
f = (4o, (mi, Fi) • • • (fJ'j^Yj)) = (Vo, v) 

of e and /, respectively. We must consider three cases in which (141) can hold. 

(i) {X Q ,tZT(a,0)) € P, (r o ,<T(a,0)) 0 Q, and a £ B. By applying condition C6 to Q, it 
follows that 

/' = (X 0 ,(/ il ,T 1 )...(p i ,T, U {a}))...(pi,Yi)) 6 <3 

Furthermore, a £ B implies that S(X,, Yj U {a}) = S(X t) Yj) U {a}, and it follows 
that Z m U {a} C S(X 4 , Y, U {a}). It now easily follows that 

5' € (e A \\ B f) (C P a \\bQ) ( 142 ) 

(ii) (X 0 ,uT(a,0)) 0 P, (Y o ,iT(a,0)) € <3, and a £ A This case is similar to case (i). 

(iii) (X o ,«r(a,0)) 0 P, (Y o ,tr(a,0)) 0 <3- By applying condition C6 to P and to Q it 
follows that 

e' = (X 0 , (ffi.Xi) . . . (cTi, X ; U {a}) . . . (a*, X k )) £ P 
/' = (To, (pt.T) . . . {nj,Yj U {a}) . . . ( W , Yi)) e Q 

Also, S(X i U {a}, Yj U {a}) = S(X 4 , Yj) U {a}. It is now not difficult to show that 

9' 6 (e'/tHs/') (C PaWbQ) 
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This completes the proof. The following properties of the parallel composition operator are 
not hard to prove. 


Theorem 13.4 For processes P, Q and R with priority sets A , B and C, respectively, 


PaWbP = p ( 143 ) 

PaWbQ = QbWaP ( 144 > 

(Pa\\bQ)aub\\cR = PaIIbuC^bIIcP) (I 45 ) 

Parallel composition distributes over the internal choice operator and we have the following. 

Theorem 13.5 For processes P, Q and R with priority sets A and B 

P4||b(Q©p) = (P/iIIb ( 3)©( p aI|b«) ( 146 ) 

In fact, the above theorem generalizes to arbitrary sets of processes as follows 

Theorem 13.6 Let V ba an arbitrary set of processes. Then 

U (P«aI|bQ) = ( U P<*)a\\bQ) ( 147 ) 

P a ev P a et> 


The fact that parallel composition does not, in general, distribute over the external 
choice operator is exhibited by the following simple 

Example 13.3 Let E — {a, 6, c}, let 


P = gen{({b }, (a, {a, 6, c}))({6}, (c, {a, 6, c}))} 
Q = gen{({b , c}, (a, {a, 6, c})) 

R = gen{({a , c}, (6, {a, 6, c})) 


and A = {a,c}, B = {a, 6}. 


Then 


S:=P4||B(Q + P) = 9eJ 


({0},(a,{a,6,c})) 
({0},(6,{a,6})(c, {a,6,c})) 
m,{c,{a,c})(b,{a,b,c})) 


(148) 


T := P a \\bQ + Pa\\bR = 9en < 


({0},(a,{a,6,c})) 

({0},(c,{a,6,c})) 

({ 0 }.( h > { a . fc })( c > {“. 6 > c })) 

({0},(c, {a,c})(6,{o,6,c})) 
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Thus, the process T can deadlock after an initial execution of c while the process S 
cannot. 

The operational behavior of the operator is exhibited in a transparent way by the 
following transition formulas (we use the right representation): 

Let (<t, X) be an execution. Then 

P ^ P' k Q Q' => PaWbQ ^ P'aWbQ' (149) 


p pf 


& Q \ 


PaWbQ 


(a,X) 


PaWbQ licr&B 
\ if a £B 


(150) 


Q ( ^ Q' 


h P 


(*,X) 


PaWbQ 


(a,X) 


PaWbQ' if o ^ A 
\ if a G A 


(151) 


(& X} 

where the notation P \ means that the execution (a, X) is not possible for P. 

Equation (149) states that if a given execution ( a } X ) is possible for both processes P 
and Q, then it will be executed simultaneously (i.e., in synchronization) in both processes. 
When an execution is initiated by one of the processes (and hence is of course possible in 
it) but is not possible in the other, the initiating process will execute the event on its own 
unless the event symbol is in the blocking, or priority, set of the other process, in which case 
the execution will be blocked leading to a deadlock. 

The above definition of concurrency, being parametrized by the two priority sets, models 
a wide range of behaviors depending on the chosen values of the parameters. Let us consider 
a number of interesting special cases. 


• A — B = S. Strict synchronization is obtained; events are executed if and only if they 
are possible in both processes, and deadlock occurs otherwise. 

• A = B = 0. This is the, so called, broadcast synchronization in which case each process 
can offer, at will, events for execution. If the other process can execute the offered event 
as well, they will execute it together in synchronization, otherwise the initiating process 
will execute the offered event by itself. Obviously, broadcast synchronization can never 
lead to deadlock. 

• A — B = S ^ £. This parametrization models strict synchronization for events in S 
and broadcast synchronization for events in £ — S. 

• Af] B = 0 and A U B = E. In this case each process can execute events in its own 
priority set without interference of the other process with assurance of synchronous 
participation of the other process whenever possible. At the same time a process 
cannot execute events in the other process’ priority set without the other process’ 
participation. 
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• B C A. Events in £ — A can be executed by each process without interference by 
the other process but with synchronous participation of the other process whenever 
possible. Events in A — B require participation of process P for execution while events 
in B require participation of both processes; otherwise deadlock will occur. 

There is one additional special case that is not explicitly parametrized by A and B that 
deserves attention. Let £ = E P U Eg where Ep includes all events that process P can ever 
execute and similarly for Eg. Then each event in E := E — Ep R Eg can be executed by 
at most one of the two processes. Thus for events in E the parallel composition operator 
models event interleaving. 

The following results will be useful in discussing certain control problems. 

Theorem 13.7 If P and Q are deterministic processes then for any A, B C E, the process 
Pa\\bQ is deterministic as well. 


Proposition 13.10 Let A u A 2i B C E be any subsets and consider processes P and Q. If 
A\ C ,42? then 

£(Pa 2 \\bQ) Q C(P Ai \\bQ) (152) 

Proof. Since for a process P we can identify C{P) with Pj-, its set of free trajectories (see 
Section II), we need to consider only the free trajectories of P and Q. We will proceed by 
induction on trajectory length. The trajectory (0, e) is in every process, so assume that the 
proposition holds for all free trajectories of length up to and including k. We shall show that 
it holds also for trajectories of length k + 1. Let 

(0,uP(a, 0)) € (Pa 2 \\bQ) (153) 

where (0,w) G (Pa 2 \\bQ) is a (free) trajectory of length k. Let E(w) denote the set of all 
free trajectories e G P for which there exist f € Q such that 

(0,ti;)€(e*||s/) (154) 

For each e G E(w) let F(e) denote the set of all trajectories / satisfying (154). To show that 
(0, w~(a, 0)) G (PaMbQ), we must consider three cases: 

(i) There exists e G E(w) and / G F(e) such that e~(<r, 0) G P and 0) G Q. Then 

(0,tirM)) € (e-M^j |*rM)) c (p Ai \\bQ) 

(ii) For all e G E(w) there exists no / G F(e) such that /~(<r, 0) G Q. Then (153) implies 
that <r ^ £, whence 

(0,tiT(a,0)) € (e~(a,0) Al | \ B f) C (P Ai \\bQ) 
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(iii) There is no e 6 E(w) such that e~(<r,0)) € P. In this case (153) implies that a A 2 
and since A\ C .-1 2 , it follows that a /V Thus 

(0,ur(<7,0)) 6 (e^,i| fl r(<T,0)) C (P Ai \\bQ) 

This completes the proof, 

Proposition 13.11 Let P and Q be processes. If C(P) Q C(Q) then, for all A, L? C E, 

C(P) C C(Pa\\bQ) ( 155 ) 

Proof. Elementary. 

Proposition 13.12 Let A, £ C E be any subsets and let P u P 2 and Q be processes. Then 
C[Px)CC{P 2 ) =* C(PxaWbQ) C C)(P 2A \\bQ) (156) 

An immediate consequence of the above Proposition is the following 
Corollary 13.3 C(Pi) = C(P 2 ) £{Pia\\bQ) = ia\\bQ) 

Proposition 13.13 Let P and Q be processes and let A,B C E satisfy A C B. Let 
R PaWbQ- Then 

C(R a \\bQ) = C(R) (157) 

Proof. First note that 

RbWbQ = (^/iIIbQJbIIbQ (by definition) 

* PaMQbWbQ) (by (145)) 

PaWbQ (by (143)) 

= R . (by definition) 

Thus, in view of Proposition 13.10 we have 

C(R) = C{R b \\bQ) Q £{Ra\\bQ) 

To complete the proof we need to show that the reverse inclusion holds, i.e., that 

C(Ra\\bQ) c C(R) 

First observe that 

P = PaWbQ (by definition) 

= Pa\\b(Qa\bQ) (by (143)) 

= (PaWaQUWbQ- (by (145)) 


(158) 

(159) 
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Also, by definition of R , 


RaWbQ = (PaWbQ)a\\bQ (!60) 

In view of Proposition 13.10, we have 

C(P a \\bQ) ^ C(Pa\\aQ) (!61) 

which, with the aid of (156) yields 

( Pa\\bQ)a\\bQQ{Pa\\aQ)a\\bQ (162) 

Upon combining (159), (160) and (162) we obtain (158), concluding the proof. 


13.4 Internalization Operator 

Let P € Ps be a process and suppose that the external observer can observe only those 
events of P that are in a proper subset DCS. To obtain a suitable model for this partially 
observed process, denoted P\©(6 Pg-), where 0 := E — E, we define below a internalization 
operator 

w e : Vb - V? : P - P\e (163) 

that deletes from P all events of P that belong to 0. 

To define the operator 7 r© we proceed as follows. (We shall use here right representations 
of trajectories.) 

For a trajectory 

e = (X 0) w) = (Xo^aijXi) . . .((T k ,X k )) (164) 

let e\e denote the trajectory obtained from e as follows: 

(i) Delete from e all occurrences of event symbols that belong to 0 (both as executed 
events and refused events). Thus, each refusal set Xi becomes Xi\&. 

(ii) Replace all consecutive refusal sets whose associated execution event symbols have 

been deleted, by their union. That is, if (in e) Oi~\ € E — © and . . . ,<7j G 0, 

then replace AV_i\© by (Xi_i\©) U (ATi\ 0 ) U . . . U ( Xi\ e y 


Example 13.4 Let E = {a, 6, c, d], 0 = {a, b} and 


e = ({a, d}, (6, {c, d})(a, {6, c})(d, {a, b , d})(c, {a, 6, c, d})) 
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Then 


e\e = ({c,d}, (d, {d})(c, {c,d}) 

Let w = ((Tj + i,Xj + i ) . . . ( (Ji,Xi ) be an execution string. We say that w is Q-stabilizing 
provided o\ G £ - O and <7* € 0 for i = j + 1, . . . , l - 1. If w is ©-stabilizing, we define w e := 
(cq, A}). The execution string w is called 0 -nonstabilizing if cq G 0 for alH = j + 1, . . . , L A 
sequence of execution strings is called Q-divergent if for each i, w l is a proper prefix 

of w t+1 and all w * are ©-nonstabilizing. 

Recall that a trajectory is valid if Aj_i for all i. We can now define the operator 
7 r© inductively. 


Definition 13.2 For a process P, the process P\© is given as follows: 

(i) (A 0 ,e)\© € P\ e & either (1) (X 0 U {ft},e) € P, or (2) (A 0 ,e) 6 P and for every 
©-stabilizing execution string v such that (A 0 ,u) G P, (X 0 ,v e ) is valid. 

(ii) (X 0 U {ft},e)\© € P\ e 4* either (1) (X 0 U 6 P, or (2) 3 a ©-divergent 

sequence of execution strings {w 1 } such that (A 0 , w l ) G P for all i. 

(iii) If e\© G P\©, where e = ( X 0 ,w ) G P, and if / = (X 0 , w~(cr k+ i, A fc+1 )) G P, Then 
A© € P\© ^ either (1) A := (A 0 >w~(*fc+ii-Xfc+i U {it})) G P, or (2) A© ^ valid, 
and (Xo^^^fc+i, X k +i)~v e ) is valid for every ©-stabilizing execution string v such 
that (Xo,w~({Tk+uXk+iyv) G P. 

(iv) If e\© G P\©, where e = (X 0 ,w) G P, and if / = (Xo,^^(a fc +i, A fc+ i)) G P, Then 
A\© G P\© ^ either (1) A G P, or (2) 3 a ©-divergent sequence of execution strings 
{w*} such that (A 0 , uT(cr fc+1 , Afc+iAw 1 ) G P for all i. 


Example 13.5 Let E = {a, 6,c, d}, let 0 = {a} and let P be the following process: 


P = gen{({c,d},(b,{a,b,c,d})) 

({c, d}, (a, {b, d})(c, {a, 6, c, d})) 

({c, d}, (a, {b, d})(a, {a, c})(d, {a, 6, c, d}))} 


Then 


p \{a} = #en{(0, (6, {6, c, d})) 

({6},(c, {6, c, d})) 
({6,c},(d,{6,c, d») 


Example 13.6 Let E = (a, 6, c,d}> let © = {a} and let P be the following process: 
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P = gen{({c,d},{b,{a,b,c,d})) 

({c,d},(a,{b,d})(c,{a,b,c,d})) 

({c, 4, (a, {6, d}) (a, {a, b,c}){d, {a, b, c, d})) (165) 

({ c ,4,(a,{M})MM)*)} 

Then 

P\{a } = v (166) 


We have the following 

Theorem 13.8 The internalization operator is well defined. 

Proof. We need to show that for a process P, the set P\© is a process, and thus satisfies 
the conditions of Definition 12.1. Conditions C1-C5 as well as C7 are straightforward and 
we shall prove condition C6. 

Let e\© = (Y 0 ,(a 1 ,Y l )...(cT k ,Y k )) € P\ e and assume that for some j : 0 < j < k 
and some a e E - 0 - Y jt (Y 0 , (a u Y t ) . . . (a jt Yj)(a , 0)) £ P\©. We need to show that this 
implies that (To, (oi, Vi) • • • (&j, Yj U {cr}) . . . (crfc, Tfc)) € P\e- 

Write e = (Xo,u''w), where u = (pi,Xi ) . . . (p/,Xj), w = (pi+i,Xi + i) . . . (p m ,X m ), and 
(X 0 , u)\© = (To, (tfi, Ti) . . . (<Jj,Tj)). Prom the assumption that (T 0 , (oi, Fi) . . . (^,T,)(a, 0)) £ 
P\©, we can conclude, upon making use of Definition 13.2 (iii), that (Xq, u~((t, 0)) ^ P. But, 
upon applying condition C6 of Definition 12.1 to P, this implies that e = (Xq, (pi, Xi) . . . (pz, XjU 
{cr}) . . . (pm, Xm) € P. Consequently, e\© = (T 0 , (cr u Yi ) . . . (<7j,Xj U {cr}) . . . (cr fc , X*)) € 
P\© and the proof is complete. 

The following property is also easily proved. 

Theorem 13.9 For subsets 0i,02 Q E, (P\©J\© 2 = (P\© 2 )\© 1 = P\© 1 u© 2 - 

We turn now to the operational (transition) behavior of the internalization operator. First 
we need to define the internalization of (left) execution strings. If w is an execution string 
of the process P, we shall denote by w\ e the corresponding execution string of P\© (after 
internalization). Let 

W = (X 0 ,CTi) . . . (Xfc_i,CTfc) 

If < 7 i € 0 for alii = 1, . . . , k, we define w\ e := e, the empty string. In the general case, 
write w = w'^w", where 

w' = (Xq, CTi) . . . (Xf_i, (Jl) 
w" = (X/,CT i+ l) . . . (Xfc_i, C7fc) 
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with oi € £ - 0, and o { € © for alH = / + 1, . • • , k. We define tu\ e as follows: 

w\e := (u/"'u/ , )\© := (u/\e)Aw")\©) = (w'\©)~e — ^A© 

with it/\e as defined below. We can rewrite it/ as 

It/ — ((Xq, (cri,Xi)... (<Tj-l} X*_i)), &l) = ( e y®l) 

where 

e / = (Xq, (cti, Xi) . . . X/_i)) 

We now have 

u/\© := (e'\e,<7/) (-^7) 

where e'\© is the ©—internalization of e! as defined above. 

Example 13.7 Let £ = {a, 6, c, d}, 0 = {a}, and 


Then, 


w = ({c, d}, a)({6, d}, a)({a, 6, c}, d)({6, c, d}, a) 


w\e = ({&, c, d}, d) 


Proposition 13.14 P A Q =>• (P\e) (Q\©) 


The above proposition implies, just as we might expect, that events in 0 occur sponta- 
neously whenever they can and the process P\q undergoes corresponding unobserved (silent) 
transitions. 


Proposition 13.15 


(6 - P)\ {a} = 


P\{a} if b = a 

0 b-+P\{a} ) ifb^a 


For the proof of Proposition 13.15 we shall make use of the following lemmas. 


Lemma 13.1 


(i) ((0,a)~tu,X)\{o} = (w,X)\{ fl } 

(a) ((0, x)\{ a } e(a-* P)\{ a } <=» KX)\ {a} e P\{ a > 
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Lemma 13.2 Let e := (X, e) £ (a — > P). If e\{ a } (= e) € (a — ► P)\{ a }, then e6 P and 
e\ {a} G P\{a}- 

Proof. Let (X,e) 6 (a -» P). Then a g X and, by condition (i) of Definition 13.2, 
(X,e)\ {a} {= (X,e)) £ {a — ► P)\{ a } if and only if for every {a} -stabilizing (right) 

execution string w such that (X y w) £ (a — *■ P), (X, is valid. But each such execution 
string w can be written as w = ((a, Z)"T>), where (Z, v) is a trajectory of P. Since v is clearly 
also an {a} -stabilizing (right) execution string, and u;f a f = it follows from condition (i) 
of Definition 13.2 (applied now to P) that if (X,e) £ P then (X,e)\{ a } 6 P\{a}- It remains 
to be shown that (X, e) € P. If (X, e) ^ P, then there exists Y C X and x £ X - Y such 
that (y,e) € P and (y U (rrfye) £ P. By Condition C6 of Definition 12.1 this implies that 
(y, (oj,0)) £ P which in turn implies that (X, (a,y)(x,0)) £ (a — ► P). Since x £ X, it then 
follows that (X, (x,0)) is not valid. But this is impossible since (X, e)\{ a } G (a — ► P)\{ a }, 
concluding the proof. 

Proof of Proposition 13.15. We shall prove the case when b = a. The case when b ^ a 
is straightforward. First note that as an immediate consequence of Lemma 13.1 we have 
that P\{ a } C (a —»■ P)\{a} • Thus, we only need to prove the reverse inclusion, i.e., that 
(i a — *■ P)\{a} Q P\{a} ♦ By Lemma 13.2, this is true for all trajectories of the form e = 
(X, s) £ (a —*■ P). As a further consequence of Lemma 13.2 it follows that for every 
trajectory e ==J(X, a)(Yi, <t 2 ) . . . (Y k -i,(Jk),Y k ) £ (a -*• P), such that e\{ a } G (a -» P)\{ a }> 
there exists Y\ C X such that / = ((^T, cr 2 ) - • • (Vfc_i, cr fc ), VTc) € P, /\{ a } € P\{a} and 
f\{ a } = e\{ a }. This concludes the proof. 

The internalization operator distributes over the internal choice: 

Proposition 13.16 (P©Q)\{ a } = P\{a} ©Q\{a} 

The internalization operator does not distribute over the external choice operator but the 
following simplifying equation holds. 

Proposition 13.17 ((a — ► P) + Q)\{ a } — P\{a} © (P + <2)\{a} 

Finally, the following relation between parallel composition and internalization will be im- 
portant to our study of control: 

Proposition 13.18 C((P A \\ B Q)\x- A ) £ £( p \v-a) 
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Proof. Since for a process P, we can identify C(P) with Pj-, its set of free trajectories 
(see Section II), we need to consider only the free trajectories of P and Q. We proceed by 
induction on trajectory length. The trajectory (0, e) is in every process. So assume that the 
proposition holds for all trajectories of length up to and including k. We shall show that the 
proposition holds also for trajectories of length k + 1. Let (0,w) € (Pa||bQ)\e-a) be a free 
trajectory of length k and, for a G A, assume that (0,u;~(<7, 0)) € (Pa||bQ)\e-a* We wish 
to show that this implies that (0, 0)) € P\e-a as well. Let E be the subset of all free 

trajectories e € P for which there exist / € Q satisfying 

(0,u>) —e\s-A € {eA\\Bf)\x-A 

(Notice that free trajectories are always valid.) By assumption, the set E is nonempty and 
for some e € E there exists / € Q, such that (0,u;^(or, 0)) £ (eAlls/^fy, 0 )\e-a- Since 
a € A it then follows from Definition 13.1, that e"(£X, 0) € P, concluding the proof. 

13.5 Projection Operator 

Let p : D — *■ £ be a map, and extend p to a map £ — ► £ by defining p(fj') and 
p(jj-) =^. Let P € Ps be a process and let 

e = (Xo, (oi, Xi) . . . (crfc, X*;)) € P 

be a trajectory. Then the map p is extended to trajectories by letting 

p{e ) = (p{X 0 ), (p(<Ti),p(Xi)) . . . (p(ar k ),p{X k ))) (168) 

where for a subset X C E u p(X) := {p{x)\x € X}. The map p is applied to execution 
strings in a similar way. We call this operator p a projection operator . We wish to define 
p(P) to be the process whose execution strings are p(vj) whenever the execution strings of 
P are w , that is, 

P * Q =* p{P) P (Q) (169) 

To this end define for a trajectory e € P 

e p := (p~ l p{X 0 ), ((Ji,p _1 p(^i)) • • • {<?k,P~ l p{Xk))) ( 17 °) 

where p -1 (X) denotes the inverse image of X under p.The definition of p(P) is then as 
follows: 


p(P) := {p(e) e <9 E | e p € P} (171) 

Notice that e p € P implies that e € P in view of the fact that the inclusion X C p~ l p(X) 
always holds. (The converse implication does not hold in general.) 

Proposition 13.19 The set p(P) is a process. 
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Proof. As usual, we need to show that conditions C1-C7 of Definition 12.1 are all satisfied. 
Thus, note first that for the trajectory e = (0,e), p{e) = (0, e). Also, — (0,e), 

whence (0,e) € p{P) and condition Cl holds. To see that condition C2 holds, suppose that 
for some trajectory p(e) E p{P) (e E P) and some i, p((Ji) E p(Xi- 1 ). Then Oi E p(Xi-i 
which is impossible since by definition of p(P), p(e) E p(P) only if e p E P. Hence condition 
C2 holds. We turn now to condition C6 and proceed as follows. Assume that 

p(e) = (p(A 0 ), (p(<ri),p(Xi)) . . . (p{(?k),p(Xk))) € p{P) 
p{h) = (p(X 0 ), (p(^i),K^i)) • • • W^)^(^))(p( a )>0)) i P ( p ) 

Then by (171) 

e P = (p~ l p(X o), (<ruP~ l p(X i)) . . . K,P"VW)) e P 
h v = (p~ l p{X 0 ), (a lt p~ l p(Xi)) . . . (<Tj,p~ l p(Xj))(<r, 0)) 0 P 

Upon applying condition C6 to P, we then conclude that 

9p := {p~ l p(X' o), {ouP~ l p{X\)) • • • (°j,P~ l p( x j u {^})) • • • (?k,P~ l p{X k ))) E P 

Thus 

g := 0(A 0 ), (p(ai),p(X!)) . . . (p(Oi),p(Xj U {a })) . . . 0((T fc ),p(X fc ))) E p(P) 

and condition C6 holds. The remaining conditions are straightforward. The process p(P) is 
called the image of P under p. We can also define the inverse image of a process Q under a 
projection operator p as the union of all processes P such that p(P) = Q , that is 

P~\Q) :=U( P \P(P) = Q) 


or, alternatively, 


p~\Q) := {e € Os | p(e) € Q} (172) 

The proof that the set p~ x {Q) as defined above satisfies the conditions of Definition 12.1 is 
straightforward and is left to the reader. 


14. CONTROL 


The control of a discrete event process is accomplished through its interaction with the 
environment. Thus, we think of the environment as being capable of influencing the occur- 
rence of certain events in the process under consideration. In particular, if the environment 
is itself a process, called a supervisor , control can be achieved by the (prioritized) parallel 
composition of the process and the supervisor. To make this idea precise, something must 
be said about the events that participate in the control process. Thus, the event set £ is 
partitioned into three disjoint subsets 

E = S tt US c UE d (173) 
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where X u is the subset of uncontrollable events that occur spontaneously in the process 
and cannot be disabled by the environment, X c is the set of controllable events that occur 
spontaneously in the process but can be diasabled by the environment (and hence can be 
thought of as requiring the participation of the environment), and finally X^ is the set of 
driven events that in order to take place must be triggered, or forced, by the environment. 
To make this event classification mathematically more precise, we require that the priority 
sets A and B of the process P and the supervisor S', respectively, satisfy the conditions that 
X u U X c C A and X c U X^ = B. 

Our interpretation of these priority sets is then as follows: Events in X n are always 
initiated by and occur spontaneously in P. If they can also occur in the supervisor S, this 
occurrence will be interpreted as being triggered by P and hence their occurrence in S will be 
assumed to coincide with that in P. But if the supervisor cannot execute the corresponding 
event in X u , it will still take place in P disregarding S. Events in X c are spontaneous events 
of P but their occurrence is possible only if they are not disabled by S. We model this 
participation of S in events of X c by allowing them also to take place in S. Thus events of 
X c will take place if and only if both processes P and S execute them concurrently. Finally, 
events in X^ cannot occur without being triggered by S. Thus, they must be in the priority 
set B of S. If an event a G X rf is also in A, then we interpret it as a closed-loop a closed- 
loop driven event, meaning that the controller waits for the occurrence of the event in P 
before it proceeds with its own transitions. Thus, closed-loop driven events are, in so far 
as concurrancy is concerned, indistinguishable from events of X u (certain other restrictions 
must be imposed for physical realizability (see e.g. [7, 14]) but this will be of no concern to 
us here). However, events of X d can be triggered also open-loop, and hence will occur in the 
concurrent process whenever they are triggered by S (whether or not they also occur in P) 
and will occur in P (concurrently) whenever they are possible in P at the time. Open-loop 
driven events thus differ from events in X c in that they can take place in the concurrent 
process even if the process P fails to participate. It is easily seen that open-loop driven 
events play the same formal role in the supervisor as uncontrollable events in the process. 

The controlled, or closed-loop , process is then given by 

R = (S/P) := Pa\\bS (174) 


The enablement-disablement control mechanism was introduced by Wonham and Ra- 
madge in [45] while the (closed-loop) control mechanism with driven events was introduced 
by Golaszevski and Ramadge in [14] and, (in a real-time control setting) by Brave and Iley- 
mann [7] (and was called there forcing. The open-loop control mechanism with driven events 
is new. 

We identify process behavior with the language that it generates. Thus, a behavioral 
specification is, typically, a statement about languages. If X^J^ X is some event subset, then 
a local specification might consist of a pair of languages /Cs, K, s C X s * such that C(P\ e-eJ, 
the localization of the process language to X s satisfies the constraint 

K s Q £(-P\e-e # ) Q fcs (175) 
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Frequently, Kg = 0 and the specification might consist of the upper bound constraint only. 
If £ s = £, we call the corresponding specification global. 

In the remainder of the present section we confine our attention to the Wonham- 
Ramdage framework of control [45]. Thus we shall assume henceforth that £ = £«, U £ c , 
A := £ u U £ c = £ and B — £ c . In view of Proposition 13.18 it is then clear that if S' is a 
supervisor for a process P , then 

£(S/P) = C(Px\\* c S)CC{P) (176) 

We can now introduce the concept of controllable languages. 

Definition 14.1 Let 1C be a closed sublanguage of C(P). K is said to be controllable if and 
only if there exists a supervisor S such that 

K = AP E |kS) ( 177 ) 


The following theorem is an abstract characterization of controllable languages. (Recall that 
for a closed language /C, det(1C) is the deterministic process whose language is K as defined 
in Section II.) 

Theorem 14.1 A closed language /C is controllable if and only if 

C(Px\\s c det(K)) = K (178) 


Proof. If (178) holds, then det(1 C) can serve as supervisor and there is nothing to prove. 
Conversely, suppose that K is controllable. We need to show that det(K.) satisfies (178), 
i.e., that det{K) can be used as supervisor. Suppose S is a supervisor such that R = 
P s || Ec g and C(R) = 1C. Then (178) follows easily from Proposition 13.13, which implies that 
C(Pv\\v c R) = £{R) and Corollary 13.3, which implies that C(P^\\j: c det(K)) — ^('P±||± J '^). 
A more concrete characterization of controllability (which was actually used as definition 
of controllability by Wonham and Ramadge in [45]) is the following corollary to the above 
theorem: 

Theorem 14.2 A closed sublanguage K C £(P) is controllable if and only if for all traces 
ta E C{P) such that t E K and cr E £, 

to £ K. a E £ c (179) 


As an immediate consequence of Theorem 13.6 we have the following 

Proposition 14.1 Let P be a process. The class of controllable sublanguages of C(P) is 
closed under set union. 
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Consider now a process P, and let A, the deadlock process, serve as supervisor. The con- 
trolled process is then given as 

(A/P) = Pslis c A (180) 

and it is clear from Proposition 156 that if S is any supervisor for P , then 

C(A/P) C {S/P) (181) 

Thus, the language (A/P) is the smallest controllable sublanguage of P. We denote this 
sublanguage by Sp and call it the spontaneous language of P . 


Theorem 14.3 Let P be a process. Let JC C £(P) be a nonempty closed sublanguale. If 
Sp C JC, then K contains a unique nonempty supremal controllable sublanguage. 

Let 1C C E* be a closed language. Two traces si, si £ K are called (Nerode) equivalent , if for 
all t € 1C, Si^t £ 1C & s 2 ~t£lC. Thus, two traces of K are equivalent if they have the same 
continuations in K. We denote the (Nerode) equivalence-class of a trace s £ 1C by [s]jc or, 
when no confusion can arise, simply by [ 5 ]. With the aid of the Nerode-equivalence relation, 
it is easy to construct a state-transition graph (actually state-transition tree) as follows. Let 
the state set Q be identified with the set of all equivalence classes of 1C. If q,q' £ Q axe two 
states such that q ~ [s] and q' = [£], then there is an edge or transition labeled o from q to 
q' if sa £ [t\. We shall call this transition graph associated with K canonical. 

Definition 14.2 Let 0 C E be a given subset. A closed language K C E* is called Q-flat if 
for any s € K and cri, <j 2 £1C 

S(7\,SO<2 £ K =>• [5(7 1 ] = [s(72] (182) 

It is clear that if K is a 0-flat closed language then the canonical state graph G of K, has 
the property that, given any state q of G, then all state-transitions labeled with events from 
0, lead to the same target state q’ (if the set of such transitions at q is nonempty). 
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